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Chapter 1: Introduction 



This volume discusses how to apply content filtering and virus scanning to 
requested and posted Web content in an enterprise, which is vital to securing 
the network and improving productivity. 

□ Content filtering allows you to regulate, based on content categories, which 
Web sites employees are allowed to access and which are restricted. 

□ Virus scanning allows you to scan both incoming content and content 
leaving the enterprise network for viruses and other malicious code, such 
as drive-by software that propagates spyware. 

How This Document Is Organized 

Table 1-1 describes the document components in Volume 7: Managing Content. 



Table 1-1 Document Organization 



Chapter Title 


Description 


Chapter 1: "Introduction" 


Provides information about this document, 
conventions used, and related documentation. 


Chapter 2: "Filtering Web 
Content" 


Describes how to configure the ProxySG to 
process client Web requests and filter the 
returning content. 


Chapter 3: "Malicious Content 
Scanning Services" 


Describes how to configure the ProxySG to 
interact with external Internet Content 
Adaptation Protocol (ICAP) clients and servers 
to provide content scanning and 
transformation. 


Chapter 4: "Configuring Service 
Groups" 


Describes how to create and manage ICAP or 
Websense service groups. 


Appendix A: "Troubleshooting" 


Describes common issues that might occur 
when filtering Web content, and suggested 
solutions. 



Table 1-2 Document Conventions 



Conventions 


Definition 


Italics 


The first use of a new or Blue Coat-proprietary term. 


Courier font 


Screen output. For example, command line text, file names, and 
Blue Coat Content Policy Language (CPL). 
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Table 1-2 Document Conventions (Continued) 



Courier Italics 


A command line variable that is to be substituted with a literal 
name or value pertaining to the appropriate facet of your 
network system. 


Courier Boldface 


A Blue Coat literal to be entered as shown. 


Arial Boldface 


Screen elements in the Management Console. 


{ } 


One of the parameters enclosed within the braces must be 
supplied 


[ ] 


An optional parameter or parameters. 


1 


Either the parameter before or after the pipe character can or 
must be selected, but not both. 



Notes and Warnings 

The following is provided for your information and to caution you against actions 
that can result in data loss or personal injury: 



Note: Information to which you should pay attention. 



Important: Critical information that is not related to equipment damage or 

personal injury (for example, data loss). 



WARNING! Used only to inform you of danger of personal injury or physical 
damage to equipment. An example is a warning against electrostatic discharge 
(ESD) when installing equipment. 



About Procedures 

Many of the procedures in this volume begin: 

□ Select Configuration > TabName, if you are working in the Management Console, 
or 

□ From the (config) prompt, if you are working in the command line interface (CLI). 

Blue Coat assumes that you are logged into the first page of the Management 
Console or entered into configuration mode in the CLI. 



Illustrations 

To save space, screen shots illustrating a procedure often have the bottom portion 
removed, along with the blank space. 
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General 

- Unique name for this ProxySG Appliance: 

Name: 172 . 16.90.44 - Blue Coat SG200 Series 



- Serial number of the ProxySG Appliance: 

Serial number: 





Preview 


Apply 


Revert 


Help 



Figure 1-1 Configuration > General Tab with Bottom Buttons 



□ Preview: Click this button to view the configuration changes before applying 
the configuration to the ProxySG. To modify your changes, click Close and 
return to the tab whose settings you want to modify 

□ Apply: Click this button to apply unsaved configuration changes to the 
ProxySG. 

□ Revert: Click this button to revert any unapplied changes to the ProxySG 
configuration. Changes that previously have been applied to the ProxySG are 
not affected. 



□ Help: Click this button to view conceptual and procedural documentation 
about the tab's topic. 



General 

- Unique name for this ProxySG Appliance: 

Name: 172 . 16,90.44 - Blue Coat SG200 Series 

- Serial number of the ProxySG Appliance: 

Serial number: 



Figure 1-2 Configuration > General Tab with Bottom Buttons Removed 
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Chapter 2: Filtering Web Content 



This chapter describes how to configure the ProxySG to process client Web 
requests and filter the returning content. 

Topics in this Chapter 

This chapter includes information about the following topics: 
a Section A: "About Filtering Web Content" on page 12 

□ Section B: "Configuring Blue Coat Web Filter" on page 16 

□ Section C: "Configuring a Local Database" on page 26 

□ Section D: "Configuring Internet Watch Foundation" on page 30 

□ Section E: "Configuring a Third-Party Vendor" on page 34 

□ Section F: "Applying Policy" on page 44 

□ Section G: "Configuring Websense Off-Box Content Filtering" on page 52 
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Section A: About Filtering Web Content 

Content filtering allows you to control access to Web sites based on their 
perceived content. This section describes content filtering databases and 
categories, on-box versus off-box solutions. Blue Coat content filtering options, 
and Dynamic Real-Time Rating (DRTR). 

About Content Filtering Databases 

A content filtering database is simply a set of rules for organizing URLs into 
meaningful categories. Depending on the vendor, a URL is listed under one 
category or several categories. 

A content filtering database does not block any Web site or any category by 
default. The role of the database is to offer additional information to the proxy 
server and to the administrator about the client request. Client access depends on 
the rules and policies implemented by the administrator in accordance with 
company standards. 



Important: Because of the dynamic nature of the Internet, there is a constant flow 

of new URLs (and URLs on lesser-known sites) that will not be in the existing 
content filtering database. Those URLs that are not in the database are marked as 
none, and you can create a policy to categorize these. 



Setting the Memory Allocation 

Content filtering databases are becoming quite large and, in some cases, could 
cause CPU spikes, appliance restarts, and other performance issues. It is 
important to set the memory allocation for your specific deployment needs in 
order to avoid any resulting performance issues. 

The Normal memory allocation setting is ideal for most deployments, except for 
the following situations: 

□ If you are not using ADN and have a high transaction rate for content filtering, 
you can increase the memory allocation setting to High. This helps content 
filtering rim more efficiently. 

□ If you are using both ADN and content filtering but the transaction rate for 
content filtering isn't very high, you can reduce the memory allocation setting 
to Low. This makes more resources available for ADN, allowing it to support a 
larger number of concurrent connections. 

To set the memory allocation for content filtering: 

1. Select Configuration > Content Filtering > General. 

2. Select the memory allocation setting that works for your deployment: Low, 
Normal, or High. 

3. Click Apply. 
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Section A: About Filtering Web Content 



Related Syntax to Change the Memory Allocation 

To enter configuration mode: 

SGOS# (config) content-filter 

SGOS# (config content-filter) memory allocation ? 
high Maximize memory use for filtering 
low Minimize memory use for filtering 

normal Use the default amount of memory for filtering 

About Content Filtering Categories 

A small number of categories can be used to effectively classify the vast and 
constantly growing number of URLs that are found on the Web. After the Web 
sites and content are categorized, you can control access to that content through 
policy 

Individual content filter providers (Blue Coat Web Filter or third-party vendors) 
define the content- filtering categories and their meanings. After providers are 
configured and the databases are available, URLs can be mapped to lists of 
categories. These categories are then made available to policy, where decisions 
like limiting online shopping or blocking job searching can be controlled. 

For example: 

<proxy> 

url . category=" Jobs" exception ( content_f ilter_denied ) 



Note: You can request that specific URLs be reviewed for correct categorization, if 
your content filtering provider supports this. For Blue Coat Web Filter, visit 
http:/ / sitereview.bluecoat.com/ to have a URL's category reviewed. 



On-Box Versus Off-Box Solutions 

You can deploy content filtering in the following two ways, both of which the 

ProxySG supports: 

□ On-box: When the content filtering database exists on the proxy. This provides 
the best performance because the proxy does not need to retrieve information 
from another network server. 

□ Off-box: When the proxy must contact another server over the network to 
categorize URLs. 

The following diagram illustrates the process flow when Web content filtering 

(on-box or off-box) is employed in the network. 
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Legend 

A: A client connected to the ProxySG. 

B: ProxySG content filtering solution (content filter vendor + Blue Coat policy). 

C: Web Content. 

Process Flow 

1: (Blue arrow) The client requests a Web page. 

2: The ProxySG checks the requested URL against the content filtering database to 
determine the categorization. 

3: After the URL is categorized, the policy engine determines if the URL is allowable or 
not. 

4: (Blue arrow) The URL is allowed and the request continues to its destination. 

5. (Red arrow) The policy denies the request and returns a message concerning? 
corporate Web compliance. 

Figure 2-1 Web Content Filtering Process Flow (On-box or Off-box) 

ProxySG Content Filtering Options 

The ProxySG offers the following content filtering options, any of which you can 

use separately or simultaneously: 

□ Using Blue Coat Web Filter (BCWF), an on-box content filtering database 
maintained by Blue Coat, which also offers dynamic category-rating abilities. 
For example, if a URL is not found in the on-box database, BCWF can attempt 
to categorize it dynamically, in real time. See Section B: "Configuring Blue 
Coat Web Filter" on page 16. 

□ Uploading your custom content filtering database to the ProxySG. You would 
create your own local database file in the same way that you create policy 
files, except that only define category statements are allowed in the local 
database. See Section C: "Configuring a Local Database" on page 26. 

□ Enabling the Internet Watch Foundation (IWF) database. See Section D: 
"Configuring Internet Watch Foundation" on page 30. 



Note: or information about the IWF, visit their Web site at: 
http:/ / www.iwf.org.uk/ 
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Section A: About Filtering Web Content 

□ Using a currently supported third-party content filtering vendor database. See 
Section E: "Configuring a Third-Party Vendor" on page 34. 

See Also 

□ "About Content Filtering Databases" 

□ "Setting the Memory Allocation" 

□ "About Content Filtering Categories" 
a "On-Box Versus Off-Box Solutions" 
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Section B: Configuring Blue Coat Web Filter 

This section describes how to select and configure Blue Coat Web Filter (BCWF), 
how to schedule a custom database update schedule, and how to change DRTR 
settings. 



Important: BCWF requires a valid license provided by Blue Coat. Refer to the 

Licensing chapter in Volume 1: Getting Started. 



About Blue Coat Web Filter 

Blue Coat Web Filter (BCWF) is a comprehensive URL-filtering database 
specifically designed for on-box deployment on the ProxySG. It works in 
combination with the ProxySG dynamic categorization service, which provides real- 
time categorization of unlisted URLs. For more information about real-time rating 
and the dynamic categorization of URLs, see "About Dynamic Real-Time Rating" 
on page 16. 

A world-wide network of servers allows the ProxySG to expediently update the 
master BCWF database. For information about BCWF automatic updating feature 
and scheduling updates, see "Specifying a Custom Time Period to Update Blue 
Coat Web Filter" on page 20. 



Note: BCWF supports many languages. Refer to the Blue Coat Release Notes for 
this release for the most up-to-date list of supported languages. 



About Dynamic Real-Time Rating 



Dynamic Real-Time Rating (DRTR) provides real-time analysis and content 
categorization of requested Web pages to solve the problem of new and 
previously unknown, uncategorized URLs — those not in the database. 



When a user requests a URL that has not already been categorized by BCWF 
database (for example, a brand new Web site), the ProxySG dynamic 
categorization service analyzes elements of the requested content and assigns a 
category or categories. The dynamic service is consulted only when the installed 
BCWF database does not contain sufficient category information for a requested 
URL. 



Note: If the category returned by this service is blocked by policy, the offending 
material never enters the network in any form. 



About the DRTR Process 

Dynamic analysis of content is performed on a remote network service and not 
locally on the ProxySG. There is a small amount of bandwidth used for the round- 
trip request and response, and a slight amount of time waiting for the service to 
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provide results. The service is only consulted for URLs that cannot be locally 
categorized and results are cached on the ProxySG, so the user experience is 
generally not affected. 

To avoid per-request latency, you might want to run DRTR in background mode. For 
more information, see "Configuring Dynamic Real-Time Rating" on page 21. 

The following diagram illustrates BCWF content filtering flow when DRTR is 
employed. 






Legend 




A: A client connected into the ProxySG. 

B: ProxySG with BCWF content filtering and DRTR enabled. 
C: DRTR server. 

D: Web content. 



Process Flow 

1: (Blue arrow) Client 1 requests a Web page. 

2: The ProxySG checks the requested URL against the BCWF database for 
categorization. No match is found. 

3: The remote Dynamic Rating Service accesses and analyzes the requested site, and 
categorizes the content. 

4: After the URL is categorized, the policy engine determines if the URL is allowable or 
not. Steps 5 and 6 describe what happens if the URL is allowable. Step 7 describes 
what happens if the URL is not allowable. 

5: (Blue arrow) The URL is allowed and the request continues to its destination for full 
retrieval. 

6: (Blue arrow) The allowed content is served back to the client. 

7: (Red arrow) The policy denies the request and returns a message concerning 
corporate Web compliance. 



Figure 2-2 BCWF with DRTR Content Employed 



Selecting Blue Coat Web Filter 

To select Blue Coat Web Filter: 

1. Select Configuration > Content Filtering > General. 
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General 






Provider Enable Lookup mode 

Local Database: p] 0 A| wa y S Q Uncategorized 

Internet Watch Foundation: Q ©Always O Uncategorized 

Blue Coat Web Filter: [✓] 0 a| wa y S Q Uncategorized 

3rd-party database: None v 0 ^| wa y S Q Uncategorized 








@ Enable Category Review Message in Exceptions 





2. Select Enable for Blue Coat Web Filter. 

3. Select the Lookup Mode. 



a. The default is Always, which specifies that BCWF will always be 
consulted for category information. 

b. Uncategorized specifies that the lookup is skipped if the URL has 
already been found in policy, a Local database, or the Internet Watch 
Foundation (IWF) database. 

4. (Optional) In the Options section, select Enable Category Review Message in 

Exceptions. This adds a link to the default content filter exception page that can 
be used to request review of the categories assigned to a blocked URL. 

Two substitutions ($ (exception_category_review_url) and 
$ (exception_category_review_message) ) are automatically appended to the 
help element of all exception definitions. For information on using the 
$ (exception. help) element, refer to Volume 6: The Visual Policy Manager and 
Advanced Policy. 



Note: The substitution values are empty if the database was not 
consulted for categorization or if the categorization process failed due to 
an error. 



5. Select the memory allocation setting that is best your deployment. For full 
details about how to determine your memory allocation setting, see "Setting 
the Memory Allocation" on page 12. 

6. Click Apply. 

Note: If this is the first time you enabled BCWF, a small database that contains 
the category list is downloaded, allowing immediate policy creation. 

To download the database on demand or on a schedule, you must configure 
BCWF service. 
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Configuring Blue Coat Web Filter 

To configure Blue Coat Web filter: 

1. Select Configuration > Content Filtering > Blue Coat. 

Blue Coat Web Filter Dynamic Categorization (DRTR) 




2b 



2. When you subscribed to BCWF Service, you received a username and 
password for access to download updates. 

a. In the Username field, enter your username. 

b. Click Change Password. The Change Password dialog displays. 

c. Enter your password and click OK to close the dialog. 

3. Download the database: 

a. The default database download location displays in the URL field. 

Note: Only enter a new URL if instructed. Otherwise, accept the default. 

b. Click Download Now. The Download Status dialog displays. 
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c. Click Close to close the Download status dialog. 

d. Click View Download Status. A new browser window opens and displays 
the Download log. For example: 

Download log: 

Blue Coat download at: 2008/08/09 17:40:42-0400 

Downloading from https://list.bluecoat. com/bcwf / activity /download/ 
bcwf . db 

Requesting differential update 
Differential update applied successfully 
Download size: 84103448 

Database date: Sat, 09 Aug 2008 08:11:51 UTC 

Database expires: Mon, 08 Sep 2008 08:11:51 UTC 

Database version: 2005040 

e. When you are finished viewing the download log, close the browser 
window. 

4. Click Apply. 

Specifying a Custom Time Period to Update Blue Coat Web Filter 

The ProxySG checks for updates to the database several times an hour. When an 
update is available, it is automatically downloaded and applied. Typically, an 
update contains only the information that has changed. 

You can prevent this automatic check entirely by disabling automatic updates. 
You can also restrict the checks to occur only within a specific time period. For 
example, you can choose to check for updates only between the hours of 8 am and 
11 pm. The time frame is always local time. 



Note: When the database is downloaded, a log is available that includes detailed 
information about how the database was updated. You can view the download 
log in the Management Console by clicking View Download Status on the BCWF tab, 
selecting Statistics > Advanced > Content Filter Service, or in the CLI (SGOS#(config) 

show content-filter status). 
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To specify a custom time period for updates: 

1. Select Configuration > Content Filtering > Blue Coat. The Automatically Check for 
Updates option is selected by default. 

Blue Coat Web Filter Dynamic Categorization (DRTR) 




2. Configure the options: 

a. Select the Only between the hours of option. The time frame is local time. 

b. Click the arrows to view the drop-down lists, and set the time period 
for your update schedule. For example, to check for updates between 
the hours of 7 pm and midnight, set the first box to 19:00 and the 
second box to 23:59. 

3. Click Apply . 

See Also 

□ "About Dynamic Real-Time Rating" 
a "Configuring Dynamic Real-Time Rating" 

Configuring Dynamic Real-Time Rating 

By default, DRTR is enabled and configured to categorize un-categorized URLs. If 
this service is causing significant delays to enterprise Web communications, you 
can run it in the background or disable it. 



Note: Customers who are using BCWF now have the option to secure their DRTR 
connection. See "Configuring DRTR" on page 22. 



About Proxy Chaining Support for DRTR 

The ProxySG allows you to forward BCWF DRTR requests through upstream 
proxies and SOCKS gateways, which eliminates the requirement for the ProxySG 
to have direct connection to back-end servers. 



21 




Volume 7: Managing Content 



Section B: Configuring Blue Coat Web Filter 



Important: Do not define your proxy as a server. If you attempt to configure 

proxy chaining using a server, an error occurs. 



Forwarding Hosts and Groups 

You can specify the alias of a forwarding host or group that has already been 
defined. If you want the DRTR requests to be forwarded through an upstream 
HTTP proxy, configure a forwarding host that is defined as a proxy and has an 
HTTP port set. Then select that forwarding host in the DRTR configuration. 



Important: If forwarding is configured, you cannot enable secure DRTR; if secure 

DRTR is enabled, you cannot select a forwarding host. The forwarding host 
would need to terminate the SSL connection correctly, and it does not have the 
correct SSL certificate to do that. 



SOCKS Gateways 

When you use proxy chaining to forward DRTR requests through an upstream 
SOCKS gateway, you must configure the SOCKS gateway. When both SOCKS and 
forwarding are configured, the ProxySG connect to the SOCKS gateway first, then 
to the forwarding host, and then to the DRTR service. 



Important: If you cannot connect to the DRTR service, verify that the SOCKS 

gateway is operating correctly and take steps to repair it. 



Configuring DRTR 

Complete the following procedures to configure Dynamic Categorization 
(DRTR). DRTR is enabled by default. 

To configure DRTR: 

1. Select Configuration > Content Filtering > Blue Coat > Dynamic Categorization (DRTR). 
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Enabled by 
default 



2 



3 



Blue Coat Web Filter Dynamic Categorization (DRTR) 

^ @ Enable Dynamic Categorization (DRTR) 



- Dynamic Categorization settings 

--c=* * Default Mode: 

O Do not categorize dynamically 

O Categorize dynamically in the background 
® Categorize dynamically in real-time 



■c=* 0 Use secure connections 



Forwarding target: 
SOCKS gateway target: 



none 



v 



Enable Dynamic Categorization (DRTR) is selected by default. If DRTR is disabled, 
the ProxySG does not contact the service when no category is found for a URL 
in the database, and all Dynamic Categorization properties specified in policy 
are ignored. If DRTR is enabled for BCWF, it is only invoked while BCWF is in 
use. 



Note: If BCWF license has expired and DRTR is enabled, the service enters a suspended 
state. For more information, see "About DRTR States" on page 24. 



2. Select a default mode: 

• Do not categorize dynamically. The loaded database is consulted for category 
information. URLs not found in the database show up as category none. 
Dynamic categorization is still possible, but only occurs when explicitly 
invoked by policy. 

• Categorize dynamically in the background. In background mode, after a call is 
made to the dynamic categorization service, the URL request immediately 
proceeds without waiting for the external service to respond. The system 
category pending is assigned to the request, indicating that the policy was 
evaluated with potentially incomplete category information. 

The results of DRTR are entered into a categorization cache (as are the 
results of real-time requests). This cache ensures that any subsequent 
requests for the same or similar URLs can be categorized quickly, without 
needing to query the external service again. 
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• Categorize dynamically in real-time (default). In real-time mode, if the category 
of the request is not already known, the URL request will wait for the 
external service to respond with the categorization before proceeding. The 
advantage of real-time mode categorization is that Blue Coat policy has 
access to the results, allowing policy decisions to be made immediately 
after receiving all available information. 

3. (Optional) To enable secure connections, select Use secure connections. 

Note: For most situations, using secure connections does not significantly 
decrease performance. If you are regularly processing a large number of 
unrated sites, using secure connections might have a larger performance 
impact. 



4. Click Apply. 

About DRTR States 

DRTR has three states: 

□ Enabled: The service attempts to categorize unrated Web sites. This is the 
default state. 

□ Disabled: If the service is disabled, the ProxySG does not make any contact 
with the service, regardless of any installed policy. 

□ Suspended: Categorization from the database continues, but the service is no 
longer employed. This occurs when the installed database is over 30 days old 
due to the expiration of BCWF download credentials or network problems. 
Once credentials are renewed or network problems are resolved, the service 
returns to Enabled. 

To view DRTR status (CLI only): 

At the (config) prompt, enter the following command: 

SGOS# (config content-filter) view 
Provider: Blue Coat 
Dynamic Categorization: 

Service: Enabled/Disabled/Suspended < one state is displayed 

Diagnostics 

Diagnostics allows you to see all categories available for use in policy or test a 
URL against the database. Categories are not displayed for a vendor or local 
database if no database has been downloaded. 

To see all available categories: 

1. On the Configuration > Content Filtering > General page, click View Categories. 

2. To see what categories a Web site is assigned by your current configuration, 
enter the URL into the URL field and click Test. 
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Related CLI Syntax to Manage the BCWF Database 

□ To enter configuration mode: 

SGOS# (config) content-filter 

□ The following subcommands are available: 

SGOS# (config content-filter) provider bluecoat {enable | disable} 
SGOS# (config content-filter) provider bluecoat lookup-mode {always | 
uncategorized} 

SGOS# (config content-filter) categories 
SGOS# (config content-filter) bluecoat 

SGOS# (config bluecoat) download {all-day | auto | between-hours | 
encrypted-password | get-now | password | url | username } 

SGOS# (config bluecoat) service {enable | disable} 

SGOS# (config bluecoat) service {forward {none | host_or_group_alias } | 

mode {background | realtime | none} | socks -gateway {none | 

gateway_alias } } 

SGOS# (config bluecoat) no download 
SGOS# (config bluecoat) {exit | view} 

SGOS# (config content-filter) test-url url 

See Also 

a "Applying Policy" 

□ "Applying Policy to Categorized URLs" 

□ "Using Content Filtering Vendors with Blue Coat Policies" 
a "Defining Custom Categories in Policy" 
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Section C: Configuring a Local Database 

This section describes how to select and refer to a local database and how to 
schedule the database update schedule. 

Selecting the Local Database and Downloading the Database 

Two main reasons to use a local database instead of a policy file for defining 
categories are: 

□ A local database is more efficient than policy if you have a large number of 
URLs. 

□ A local database separates administration of categories from policy. This 
separation is useful for three reasons: 

• It allows different individuals or groups to be responsible for 
administrating the local database and policy. 

• It keeps the policy file from getting cluttered. 

• It allows the local database to share categories across multiple boxes that 
have different policy. 

However, some restrictions apply to a local database that do not apply to policy 
definitions: 

□ No more than 200 separate categories are allowed. 

□ Category names must be 32 characters or less. 

□ A given URL pattern can appear in no more than four category definitions. 

You can use any combination of the local database, policy files, or the VPM to 
manage your category definitions. See "Applying Policy to Categorized URLs" on 
page 44 for more information. You can also use both a local database and a third- 
party vendor for your content filtering needs. 



Note: Blue Coat recommends locating your local database on the same server as 
any policy files you are using. 



To configure local database content filtering: 

1. Select Configuration > Content Filtering > General. 
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General 






Provider 


Enable 


Lookup mode 


Local Database: 


0 


® Always O Uncategorized 


Internet Watch Foundation: 


□ 


® Always O Uncategorized 


Blue Coat Web Filter: 


□ 


® Always O Uncategorized 


3rd-party database: 


None 


v ® Always Q Uncategorized 



- Options 

Enable Category Review Message in Exceptions 



2. Select Local Database. 

3. Select the Lookup Mode. 

a. The default is Always, which specifies that the Local database will 
always be consulted for category information. 

b. Uncategorized specifies that the lookup is skipped if the URL has 
already been found in policy. 

4. Click Apply to commit the changes to the ProxySG. 

5. Select Configuration > Content Filtering > Local Database. 

6. If the database is located on a server that requires a password for access, you 
must configure the ProxySG to use that password when accessing the 
database: 

a. Click Change Password. The Change Password dialog displays. 

b. Enter your password and click OK. 

7. Download the database: 



a. In the URL field, enter the location of the file to be downloaded. 



b. Click Download Now. The Download Status dialog displays. 

c. Click Close to close the Download status dialog. 



d. 



Click View Download Status. A new browser window opens and displays 
the Download log. For example: 



Download log: 

Local database download at: 2008/08/11 17:40:42-0400 
Downloading from f tp : //I . 1 . 1 . 1/ list-1 000000-cat . txt 
Download size: 

Database date: Sat, 

Total URL patterns: 1000000 
Total categories: 10 



16274465 

09 Aug 2008 08:11:51 UTC 



8. Click Apply. 
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Future Downloads 

You can return to this screen at any time and download a database on demand 
(independent of the automatic download feature, which is described in the next 
section). 

Ordinarily, the ProxySG checks to see if the database has changed before initiating 
a download. If the database is the most current, no download is performed. 



Note: Incremental updates are not available for Local Database. 



Specifying a Custom Time Period to Update a Local Database 

The ProxySG checks for updates to the database several times an hour. When an 
update is available, it is automatically downloaded and applied. Typically, an 
update contains only the information that has changed. 

You can prevent this automatic check entirely by disabling automatic updates. 
You can also restrict the checks to occur only within a specific time period. For 
example, you can choose to check for updates between 8 am and 11 pm only. The 
time frame is always local time. 



Note: When the database is downloaded, a log is available that includes detailed 
information about how the database was updated. You can view the download 
log in the Management Console by selecting Statistics > Advanced > Content Filter 
Service, or in the CLI (SGOS#(config) show content-filter status). 



To specify a custom time period for updates: 

1. Select Configuration > Content Filtering > Local Database. The Automatically check for 
updates check box is selected by default. 



[^1 Automatically check foi updates 










0 Only between the hours of 


08:00 v 


and 


23:59 v 



2. Select the Only between the hours of check box. The time frame is local time. 



3. Click the arrows to view the drop-down lists and set the time period for your 
update schedule. For example, to check for updates between the hours of 8 am 
and midnight, set the first box to 08:00 and the second box to 23:59. 

4. Click Apply. 

Diagnostics 

Allows you to see all categories available for use in policy or test a URL against 
the database. Categories are not displayed for a vendor or local database if no 
database has been downloaded. 
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To see all available categories: 

1. On the Configuration > Content Filtering > General page, click View Categories. 

2. To see what categories a Web site is assigned by your current configuration, 
enter the URL into the URL field and Click Test. 

Related CLI Syntax to Configure Content Filtering 

□ To enter configuration mode: 

SGOS# (config) content-filter 

□ The following subcommands are available: 

SGOS# (config content-filter) provider local {enable | disable} 

SGOS# (config content-filter) provider local lookup-mode {always | 
uncategorized} 

SGOS# (config content-filter) categories 
SGOS# (config content-filter) local 

SGOS# (config local) download {all-day | auto | between-hours | 
encrypted-password | get-now | password | url | username} 

SGOS# (config local) source 
SGOS# (config local) clear 
SGOS# (config local) {view | exit} 

SGOS# (config content-filter) test-url url 

See Also 

a "Applying Policy" 
a "Applying Policy to Categorized URLs" 
a "Using Content Filtering Vendors with Blue Coat Policies" 
a "Defining Custom Categories in Policy" 
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Section D: Configuring Internet Watch Foundation 

This section describes how to select the Internet Watch Foundation (IWF) 
database and how to schedule the database update schedule. 

The IWF is a non-profit organization that provides to enterprises a list of known 
child pornography URLs. The IWF database features a single category called IWF- 
Restricted, which is detectable and blockable using policy. IWF can be enabled 
along with other content filtering services. 

Selecting the IWF Database 

To configure IWF content filtering: 

1. Select Configuration > Content Filtering > General. 

General 

r Providers 



Provider 


Enable 


Lookup mode 


Local Database: 


□ 


® Always Q Uncategorized 


Internet Watch Foundation: 


0 


® Always 0 Uncategorized 


Blue Coat Web Filter: 


0 


® Always Q Uncategorized 


3rd-party database: 


None 


® Always Q Uncategorized 



r Options 

I I Enable Category Review Message in Exceptions 

2. Select Internet Watch Foundation. 

3. Select the Lookup Mode. 

a. The default is Always, which specifies that IWF will always be 
consulted for category information. 

b. Uncategorized specifies that the lookup is skipped if the URL has 
already been found in policy or a Local database. 

4. Click Apply. 

5. Select Configuration > Content Filtering > IWF. 
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Internet Watch Foundation 









Username: 


<not required> 


[ Change Password 


Change the download password 


URL: 


httpsV/list.bluecoat.com/iwf/activity/download/iwf.db 



Set to default 



Download now 
View Download Status 
0 Automatically check for updates 

Cl Only between the hours of 



and 



Note: A username and password are not required to download the 
database. 



6. Download the database: 

a. The default database download location displays in the URL field. 

Note: Only enter a new URL if instructed. Otherwise, accept the default. 

b. Click Download Now. The Download Status dialog displays. 

c. Click Close to close the Download status dialog. 

d. Click View Download Status. A new browser window opens and displays 
the Download log. For example: 

Download log: 

IWF download at: 2008/08/09 22:41:35 +0000 

Downloading from https://list.bluecoat.com/iwf/activity/ 

download/ iwf . db 

Requesting differential update 

File has not changed since last download attempt; no download 
required 

Previous download: 

IWF download at: 2008/08/09 22:40:19 +0000 

Downloading from https://list.bluecoat.com/iwf/activity/ 
download/ iwf . db 

Warning: Unable to determine current database version; 
requesting full update 
Download size: 20132 

Database date: Fri, 08 Aug 2008 04:45:06 UTC 
Database expires: Fri, 28 Nov 2008 04:45:06 UTC 
Database version: 2007112993 
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Database format: 1.1 

7. When you are finished viewing the Download Log, close the browser window 
and click Apply. 

Future Downloads 

You can return to this screen at any time and download a database on demand 
(independent of the automatic download feature, which is described in the next 
section). Ordinarily, the ProxySG checks to see if the database has changed before 
initiating a download. If the database is the most current, no download is 
performed. If an incremental update is available on the server, then it is 
downloaded (an incremental update contains only the changes between the 
current installed version and the latest published version of the database, and is 
much smaller than a full copy of the database). 

Specifying a Custom Time Period to Update IWF 

The ProxySG checks for updates to the categorization database several times an 
hour. When an update is available, it is automatically downloaded and applied. 
Typically, an update contains only the information that has changed. 

You can prevent this automatic check entirely by disabling automatic updates. 
You can also restrict the checks to occur only within a specific time period. For 
example, you can choose to check for updates between 8 am and 11 pm only. The 
time frame is always local time. 



Note: When the database is downloaded, a log is available that includes detailed 
information about how the database was updated. You can view the download 
log in the Management Console by selecting Statistics > Advanced > Content Filter 
Service, or in the CLI (SGOS#(config) show content-filter status). 



To specify a custom time frame for updates: 

1. Select Configuration > Content Filtering > IWF. The Automatically check for updates 

check box is selected by default. 



0 Automatically check for updates 




0 Only between the hours of 08:00 v and 23:59 v 







2. Select the Only between the hours of check box. The time frame is always local 
time. 



3. Click the arrows to view the drop-down lists and set the time period for your 
update schedule. For example, to check for updates between the hours of 8 am 
and midnight, set the first box to 08:00 and the second box to 23:59. 

4. Click Apply. 
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Diagnostics 

This allows you to test a URL against the database. 

To test a URL: 

1. Select Configuration > Content Filtering > General. 

2. Enter the URL into the URL field. 

3. Click Test. 

Related CLI Syntax to Manage IWF 

□ To enter configuration mode: 

SGOS# (config) content-filter 

□ The following subcommands are available: 

SGOS# (config content-filter) provider iwf {enable | disable} 
SGOS# (config content-filter) provider iwf lookup-mode {always | 
uncategorized} 

SGOS# (config content-filter) iwf 

SGOS# (config iwf) download {all-day | auto | between-hours | 
encrypted-password | get-now | password | url | username } 

SGOS# (config iwf) no download 
SGOS# (config iwf) {exit | view} 

SGOS# (config content-filter) test-url url 

See Also 

n "Applying Policy" 
a "Applying Policy to Categorized URLs" 

□ "Using Content Filtering Vendors with Blue Coat Policies" 

□ "Defining Custom Categories in Policy" 
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Section E: Configuring a Third-Party Vendor 

This section describes how to select and configure your preferred third-party 
vendor and how to schedule the database update schedule. 

Most of the third-party vendor configuration tasks are identical, but there are a 
few with vendor-specific options. As you follow the procedures, you are 
prompted to proceed to another section for these vendors to continue the 
configuration. 



Selecting the Provider and Downloading the Database 

This procedure assumes you have a valid account with your preferred vendor. 



To configure third-party content filtering: 

1. Select Configuration > Content Filtering > General. 



General 

- Providers 

Provider Enable 



Lookup mode 



Local Database: 

Internet Watch Foundation: 
Blue Coat Web Filter: 



□ 

□ 

□ 



® Always Q Uncategorized 
® Always Q Uncategorized 
@ Always Q Uncategorized 



3rd-party database: 



- Options 



U] Enable Category Review f 



r Diagnostics 



None 


V 


None 


A 


i-FILTER 




InterSafe 


_T7 


Optenet 


Proventia 




SmartFilter 




SurfControl 


V 



® Always Q Uncategorized 



View Categories 


View avaiiapie categories 


URL: 




Test 



2. From the 3rd-party database drop-down list, select your preferred vendor. 

3. Select the Lookup Mode. 



a. The default is Always, which specifies that the third-party database will 
always be consulted for category information. 

b. Uncategorized specifies that the lookup is skipped if the URL has 
already been found in policy, a Local database, the Internet Watch 
Foundation (IWF) database, or BCWF. 

4. (Optional and applicable for SmartFilter and BCWF only) Select Enable 

Category Review Message in Exceptions. This adds a link to the default content 
filter exception page that can be used to request review of the categories 
assigned to a blocked URL. 
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Two substitutions ($ (exception _category_review_url) and 
$ (exception_category_review_message) ) are automatically appended to the 
help element of all exception definitions. For information on using the 
$ (exception. help) element, refer to Volume 6: The Visual Policy Manager and 
Advanced Policy. 



Note: The substitution values are empty if the provider was not 
consulted for categorization, or if the categorization process failed due to 
an error. 



5. Click Apply. 

6. Proceed accordingly: 

a. For SmartFilter, continue with "Configuring SmartFilter" on page 37. 

b. For Websense, continue with: "Configuring Websense (on-box)" on 
page 39. 

c. For i-Filter, InterSafe, Optenet, Proventia, SurfControl, or Webwasher, 
continue with Step 7. 

7. Select Configuration > Content Filtering > Vendor_Name : 
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SurfControl 


1 






Username: 


catalina56 


Change Password Change (he download password 


URL: 


https://list. bluecoat. com/surfcontrol/activity/download/surfcontrol.db 



Set to default 



Download now 



View Download Status 



[*1 Automatically check for updates 

U Only between the hours of 



and 



8. (This example uses Surf Control.) If the database is located on a server that 
requires a password for access, you must configure the ProxySG to use that 
password when accessing the database: 

a. Enter your third-party vendor username. 

b. Click Change Password. The Change Password dialog displays. 

c. Enter your password and click OK. 

9. Download the database: 



a. The default database download location is displayed in the URL field. 

If you have been instructed to use a different URL, enter it here 
(optional: click Set to default to always use this location). 

b. Click Download Now. The Download Status dialog displays. 

c. Click Close to close the Download status dialog. 

d. Click View Download Status. A new browser window opens and displays 
the Download log. For example: 

Download log: 

SurfControl download at: 2008/08/09 17:40:42-0400 
Downloading from https : //list . bluecoat . com/ ... /download/ 
surfcontrol . db 

Warning: Unable to determine current database version; requesting 
full update 

Download size: 8106572 

Database date: Fri, 08 Aug 2008 08:11:51 UTC 

Database expires: Fri, 28 Nov 2008 08:11:51 UTC 

Database version: 3 

10. Click Apply. 

11. Continue with "Specifying a Custom Time Period to Update a Third-Party 
Database" on page 41. 
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Future Downloads 

You can return to this screen at any time and download a database on demand 
(independent of the automatic download feature, which is described in the next 
section). 

Ordinarily, the ProxySG checks to see if the database has changed before initiating 
a download. If the database is the most current, no download is performed. If an 
incremental update is available on the server, then it is downloaded (an 
incremental update contains only the changes between the current installed 
version and the latest published version of the database, and is much smaller than 
a full copy of the database). 

Configuring SmartFilter 

To configure SmartFilter, you need the license key assigned to you by Secure 
Computing. 

To configure SmartFilter: 

1. Select Configuration > Content Filtering > SmartFilter. 



SmartFilter 




2e c. 0 Allow RDNS 



0 Categorize search engine URLs by keyword 
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2. Configure SmartFilter: 

a. In the License key field, enter the license key you received from Secure 
Computing. 

b. In the Server field, the default server is displayed. If you have been 
instructed to use a different server, enter the hostname or IP address. 

c. Select Automatically check for updates to enable the ProxySG to check for 
database updates several times a day. For complete details about 
setting up this option, see "Specifying a Custom Time Period to 
Update a Third-Party Database" on page 41. 

d. Select the database edition to use. The XL edition is the default, and is 
compatible with SmartFilter 4.2 or later. The XL edition provides a 
number of new categories, as well as some changes to existing 
categories that are not available in the SL edition. 

Note: When you upgrade from an earlier ProxySG version that only 
supported the SL database edition, the default changes to the XL 
database edition. To defer policy changes, re-select the SL edition 
database. 

If you change the selected database edition, be sure to examine your 
policy compilation listing after the next database download. The set of 
available categories will be different, and you will need to modify your 
policy as a result. For more information, see "Modifying Policy for 
SmartFilter Database Changes" on page 48. 



e. Select Allow RDNS to enable reverse DNS lookup. RDNS resolves IP 
addresses into domain names, which enables the ProxySG to look up 
domain names in the SmartFilter database. 

f. Select Categorize search engine URLs by keyword to ensure blocking of 
sites by keywords. 

3. Click Download Now. The Download Status dialog displays. 

4. Click Close to close the Download status dialog. 

5. Click View Download Status. A new browser window opens and displays the 
Download progress. At the completion of the download, the download log 
displays. For example: 

Download log: 

Download in progress . . . 

Previous download: 

SmartFilter download at: 2008/03/06 14:29:59 -0800 
Downloading from: list.smartfilter.com 
Checking incremental update 
Warning: Unable to open input control list 
Warning: Unable to open installed control list 
Downloading full control file 
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Full download complete 
Download size: 219221404 

Database version: 10948 

Database date: Wed, 05 Mar 2008 23:53:01 UTC 

Database expires: Wed, 09 Apr 2008 23:53:01 UTC 



Note: The first time you download a SmartFilter database, warnings 
appear in the results message under Checking incremental update. 
These are expected, and represent the normal process of checking to see 
if an incremental update is possible. The next time you download a 
SmartFilter database, the ProxySG checks the previously downloaded 
database and downloads only what is necessary to keep the database 
current. 



6. Click Apply. 

See Also 

"Modifying Policy for SmartFilter Database Changes" 

Configuring Websense (on-box) 

The Websense database configuration screen contains unique options. 



Note: Websense databases contain a category called User-Defined to support 
locally-specified categorizations on other platforms. Do not use this category 
on the ProxySG. Instead, define your own categories through the ProxySG 
and assign URLs to them using Policy (see page "Defining Custom Categories 
in Policy" on page 48), or using a local category database (refer to Volume 4: 
Securing the Blue Coat ProxySG Appliance). 



To configure Websense (on-box): 

1. Select Configuration > Content Filtering > Websense. 
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Websense 





0 Always apply regular expressions to URLs 



2. In the License Key field, enter the key assigned to you for downloading the 
Websense database. 

3. In the Server field, the default server is displayed. If you have been instructed 
to use a different server, enter the hostname or IP address here. 

4. (Optional) In the Contact e-mail field, enter an e-mail address by which 
Websense can contact you. 

5. Click Download Now. The Download Status dialog displays. 

6. Click Close to close the Download status dialog. 

7. Click View Download Status. A new browser window opens and displays the 
Download log. For example: 

Download log: 

Websense download at: 2008/08/09 17:40:42-0400 
No database is currently installed 
Attempting full download 
Downloading from download.websense.com 
Processing download file 
Retrieved full update 
Download size: 147079939 

Database version: 82300 

Database date: 2008/08/08 

License expires: 2008/09/21 08:11:51 UTC 
License max users: 25 

Licenses in use: 0 

Library version: 3. 2. 0.0 [BCSI rev A] 

8. (Optional) Always apply regular expressions to urls: 



40 




Chapter 2: Filtering Web Content 



Section E: Configuring a Third-Party Vendor 



Select this option to force an additional regular expression lookup for each 
URL to be categorized. Normally, regular expression lookups are done only 
when no category is found in the Websense database. If this option is selected, 
regular expression lookups always occur, even for categorized URLs. 
Selecting this option can cause a significant reduction in lookup performance, 
but allow certain sites (such as translation, search engine, and link-cache sites) 
to be categorized more accurately. 

9. To use the Websense Reporter, you must enable the Websense Integration 
Service. 

a. In the Integration Service Host field, enter the Integration Service Host IP 
(which has the same IP address as the Websense Log Server). 

b. In the Port field, specify the port of the Websense Integration Service. It 
must be between 0 and 65535 and match the port selected on the 
Integration Service host. 

c. Select Enabled to enable the service. 

d. (Optional) Select Log forwarded client address. Normally, the ProxySG 
logs the actual client IP address to the Websense Reporter log. You can 
configure the ProxySG to log an address obtained from the X- 
Forwarded-For HTTP Header (if present and valid) instead. This is 
useful in some specific network topologies. 

Note: The Policy Server, the Log Server, and Reporter must be installed 
and enabled on your PC before Reporter can be used. For information on 
Websense products, refer to: http:/ / www.websense.com. 

You must also set up access logging on the ProxySG with Websense as the 
client. For more information on configuring a Websense access logging 
client, refer to Volume 8: Access Logging. 

10. Click Apply. 

11. Proceed to the "Specifying a Custom Time Period to Update a Third-Party 
Database" on page 41. 

See Also 

□ "Configuring Websense Off-Box Content Filtering" 
a "Performing a Health Check on a Websense Off-Box Service" 

Specifying a Custom Time Period to Update a Third-Party Database 

The ProxySG checks for updates to the database several times an hour. When an 
update is available, it is automatically downloaded and applied. Typically, an 
update contains only the information that has changed. 
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You can prevent this automatic check entirely by disabling automatic updates. 
You can also restrict the checks to occur only within a specific time period. For 
example, you can choose to check for updates between 8 am and 11 pm only. The 
time frame is always local time. 



Note: When the database is downloaded, a log is available that includes detailed 
information about how the database was updated. You can view the download 
log in the Management Console by selecting Statistics > Advanced > Content Filter 
Service, or in the CLI (SGOS#(config) show content-filter status). 



To specify a custom time period for updates: 

1. Select Configuration > Content Filtering > vendor. The Automatically check for updates 

option is selected by default. 



0 Automatically check for updates 




PI Only between the hours of 08:00 v and 23:59 v 







2. Select the Only between the hours of option. The time frame is always local time. 

3. Click the arrows to view the drop-down lists and set the time period for your 
update schedule. For example, to check for updates between the hours of 8 am 
and midnight, set the first box to 08:00 and the second box to 23:59. 

4. Click Apply. 

Diagnostics 

This allows you to see all categories available for use in policy or test a URL 

against the database. Categories are not displayed for a vendor or local database if 

no database has been downloaded. 

To see all available categories or test a URL: 

1. Select Configuration > Content Filtering > General page. 

2. Click View Categories. 

3. To see what categories a Web site is assigned by your current configuration, 
enter the URL into the URL field. 

4. Click Test. 

Related CLI Syntax to Manage Third-Party Vendor Content Filtering 

□ To enter configuration mode: 

SGOS# (config) content-filter 

□ The following subcommands are available: 
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SGOS# (config content-filter) {i-filter | intersafe | optenet I 
proventia | smartfilter | surfcontrol | websense | webwasher ) 

SGOS# (config content-filter) provider 3rd-party lookup-mode {always 
uncategorized} 

SGOS# (config content-filter) provider 3rd-party vendor 

SGOS# (config vendor) download {all-day | auto | between-hours | 

encrypted-password | get-now | password | url | username} 

SGOS# (config vendor) view 

download license license_key 
download server ip_address_or_hostname 

allow-rdns | no allow-rdns 
use-search- keywords 
download email-contact e-mail_address 
download server ip_address_or_hostname 

download license licensekey 
{ always-apply-regexes | no always-apply- 



SGOS# (config smartfilter) 
SGOS# (config smartfilter) 
SGOS# (config smartfilter) 
SGOS# (config smartfilter) 
SGOS# (config websense) 
SGOS# (config websense) 
SGOS# (config websense) 
SGOS# (config websense) 
regexes } 

SGOS# (config websense) 
SGOS# (config websense) 
SGOS# (config websense) 



integration- service {enable | disable} 
integration- service host ip_address_or_hostname 
integration- service port { 0-65535 } 



See Also 

a "Applying Policy" 

□ "Applying Policy to Categorized URLs" 

□ "Using Content Filtering Vendors with Blue Coat Policies" 

□ "Defining Custom Categories in Policy" 
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Section F: Applying Policy 

This section discusses the interaction between content filtering categories and the 
application of control policies. 

Applying Policy to Categorized URLs 

Policy is applied to categories the same way as individual URLs: create policies 
that restrict, allow, and track access. Policy rules are created by composing Blue 
Coat Content Policy Language (CPL) or with the Visual Policy Manager (VPM). 



Note: If you have extensive category definitions. Blue Coat recommends that you 
put them into a local database rather than into a policy file. The local database 
stores custom categories in a more scalable and efficient manner, and separates 
the administration of categories from policy. See Section C: "Configuring a Local 
Database" on page 26. 



The policy trigger category= is used to test the category or categories assigned to 
the request URL, and thus make a policy decision. For example, to block all 
requests for URLs that are categorized as Sports: 

DENY category=Sports 

The following example demonstrates a condition that is true when a request 
contains the Websense content categories Sexuality and Drugs: 

<proxy> 

category= (sexuality, drugs) 

You can block multiple categories with a single rule: 

category= (Sports, Gambling, Shopping) exception ( content_filter_denied) 

In this example, three categories are blocked and instead the predefined exception 
page content_fiiter_denied is served; by default this indicates that the request 
was denied due to its content and specifies the categories found. 

The following example shows a condition that includes an extensive number of 
categories: 

category= (Abortion, Activist, Adult, Gambling, Illegal, Hacking, 
Militancy, Racism, Shopping, Tasteless, Violence, Weapons) 

URLs that are not categorized are assigned the system category none. This is not 
an error condition; many sites (such as those inside a corporate intranet) are 
unlikely to be categorized by a commercial service. Use category=none to detect 
uncategorized sites and apply relevant policy. The following example disallows 
access to uncategorized sites outside of the corporate network: 

define subnet intranet 

10.0.0.0/8 ; internal network 
192.168.123.45; external gateway 
end 
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<proxy> 

; allow unrestricted access to internal addresses 
ALLOW url . address=intranet 

; otherwise (internet) , restrict Sports, Shopping and 
uncategorized sites 

DENY category^ (Sports, Shopping, none) 

Such category tests can also be combined with other types of triggers to produce 
more complex policy, such as: 

□ Restrict access by category and time: block sports from 6 am to 6 pm: 

category=Sports time=0600 . . 1800 DENY 

□ Restrict by category and user identity: only members of the group Sales are 
permitted to visit Shopping sites: 

category=Shopping group=! Sales DENY 

□ Require special authentication for access to certain categories: 

category=Hacking authenticate ( restricted_realm ) 

where restricted_reaim is an authentication realm you have configured. 

□ Log certain types of access: 

category=Adult action. Log_adult_site_access (yes) 

where Log_aduit_site_access is a policy action defined elsewhere that 
records extra information about this request in the event log. 

Typically, category= can be used in policy anywhere that a basic URL test can be 
used. Refer to Volume 10: Content Policy Language Guide for more details. 

Depending on which provider you have selected and whether you have defined 
any of your own categories in policy (see "Defining Custom Categories in Policy" 
on page 48), you have a number of possible category names that can be used with 
category=. To review the valid category names, use the categories CLI command 
or click View Categories in the Management Console: Configuration > Content Filtering 
> General. 

The category= expressions are normally put in <Proxy> Layers (VPM: Web Access 
Layers) because the goal of content filtering policy is to control requests from 
users. They can also be used in <cache> (VPM: Web Content Layers) Layers. Either 
way, policy is enforced on all user requests. 

It is possible for an attempt to categorize a URL to fail — for example, if no 
database is loaded, your license is expired, or if a system error occurs. In such a 
case, the category is considered unavailable and triggers such as: 

category=Sports 

are false, even if the URL is actually a sports site, because the ProxySG is unable to 
determine the category. When the policy depends on the category of a URL, you 
do not want such errors to inadvertently allow ordinarily restricted content to be 
served by the ProxySG. You can control how the ProxySG treats these situations 
with the condition: 

category=unavailable 



45 



Volume 7: Managing Content 



Section F: Applying Policy 



which is true in these cases. In continuing with the example, to make sure that 
Sports is always blocked, even when errors occur (this is a mode of operation 
called fail-closed), use a rule such as: 

category= (sports, unavailable) exception (name_of_exception page) 

This rule is true if the category is sports or if the category could not be 
determined, and in either case the proper exception page is served instead of the 
restricted content. 

The category unlicensed is assigned in addition to unavailable when the failure to 
categorize occurred because of license expiry. That can be caused by the 
expiration of your Blue Coat license to use content filtering, or because of 
expiration of your license from the provider. You can use 

category=unlicensed 

to detect this situation as a distinct case from other causes of unavailability. 

You can also use this feature with custom exception pages (refer to Volume 6: The 
Visual Policy Manager and Advanced Policy): 

<proxy> 

category=sports time=0800. .1800 exception ( sports_during_bus_hrs) 
category=unlicensed exception ( contact_admin_re_license) 
category=unavailable exception (content_filter_unavailable) 

where sports_dur±ng_bus_hrs is a custom exception page you have 
created to respond to requests for Sports pages between 8 am and 6 pm 
local time. 

con tact_admin_re_ii cense is another page that instructs the user to 
inform the administrator about license expiry, and is served if a license 
check fails. When the 

category is unavailable for some other reason, the pre-defined exception 

( content_filter_unavailable ) is served. 

The most common reason (other than license expiry) why categories are 
unavailable is that a provider is selected but no database is installed. Barring 
hardware or network problems that might cause a downloaded database to 
become corrupted and unreadable, it is unlikely that the database will suddenly 
become unavailable. 

To define policies on the ProxySG, use either the VPM or manually edit Policy 
files. 

Content filtering policies are usually found in <Proxy> and <Cache> layers. 

If you are using content filtering to manage a type of content globally, create these 
rules in the <cache> layer. 

However, if your content filtering policy is dependent on user identity or request 
characteristics, create these rules in the <Proxy> layer. 

Using Content Filtering Vendors with Blue Coat Policies 

The ProxySG provides the ability to define flexible Web access and control 
policies. With content filtering, you can set up policies to provide a customized 
level of Web-site access control. With vendor-based content filtering, these policies 
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use and can supplement vendor categories. By supplementing content filtering 
vendor categories, you can further refine the type of content filtering the ProxySG 
performs. For example, if Travel is a vendor-defined content category, you can 
define a policy that allows only Human Resources staff to access travel sites. You 
can define policies that filter by a variety of conditions, including category, 
protocol (including MMS and RTSP streaming protocols), time of day, and user or 
user groups. 

Example 

Policy: Limit employee access to travel Web sites. 

The first step is to rephrase this policy as a set of rules. In this example, the model 
of a general rule and exceptions to that rule is used: 

□ Rule 1: All users are denied access to travel sites 

□ Rule 2: As an exception to the above. Human Resources users are allowed to 
visit Travel sites 

Before you can write the policy, you must be able to identify users in the Human 
Resources group. You can do this with an external authentication server, or define 
the group locally on the ProxySG. For information on identifying and 
authenticating users, refer to Volume 4: Securing the Blue Coat ProxySG Appliance. 

In this example, a group called human resources is identified and authenticated 
through an external server called my auth server. 

This then translates into a fairly straightforward policy written in the local policy 
file: 



<proxy> 

; Ensure all access is authenticated 
Authenticate (my_auth_server) 

<proxy> 

; Rule 1 : All users denied access to travel 
DENY category=travel 
<proxy> 

; Rule 2 : Exception for HR 

ALLOW category=travel group=human resources 
DENY category=sites 

Example 

Policy: Student access to Health sites is limited to a specified time of day, when 

the Health 100 class is held. 

This time the policy contains no exceptions: 

□ Rule 1: Health sites can be accessed Monday, Wednesday, and Friday from 10- 
11am. 

□ Rule 2: Health sites can not be accessed at other times. 

define condition Health_class time 
weekday=(l, 3, 5) time=1000 . . 1100 

end 
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<proxy> 

; 1) Allow access to health while class in session 
ALLOW category=health condition=health_class_time 
; 2) at all other times, deny access to health 
DENY category=health 

Modifying Policy for SmartFilter Database Changes 

SmartFilter's XL database edition, which is compatible with SmartFilter 4.2 and 
later, provides a number of new categories as well as some changes to existing 
categories. A change in categories always has the potential to affect the way a 
given SGOS policy is interpreted. It is important to modify policy to 
accommodate database changes when you change the SmartFilter database you 
use. Review the list of categories and ensure that your policy is structured 
appropriately, especially for categories in the SL database that have been split into 
more than one category in the XL database. 



Defining Custom Categories in Policy 

You can use CPL to create your own categories and assign URLs to them. This is 
done with the define category construct (for more complete information on the 
define category construct, refer to Volume 10: Content Policy Language Guide). To 
add URLs to a category, list them in the definition. You only need to specify a 
partial URL: 

□ hosts and subdomains within the domain you specify will automatically be 
included 

□ if you specify a path, all paths with that prefix are included (if you specify no 
path, the whole site is included) 

Example: 

define category Grand_Canyon 
kaibab . org 

www2 .nature . nps . gov/air /webcams /parks/ grcacam 
nps . gov/grca 
grandcanyon . org 
end 

Any URL at kaibab . org is now put into the Grand Canyon category (in addition to 
any category it might be assigned by a provider). Only those pages in the /grca 
directory of nps . gov are put in this category. 

Nested Definitions and Subcategories 

You can define subcategories and nest category definitions by adding a 
category=<name> rule. To continue the example, you could add: 

define category Yellowstone 
yellowstone-natl-park . com 
nps . gov/ yell/ 
end 

define category National_Parks 



48 



Chapter 2: Filtering Web Content 



category=Grand_Canyon; Grand_Canyon is a subcategory of 
National_Parks 

category=Yellowstone; Yellowstone is a subcategory of National_Parks 
nps.gov/yose; Yosemite - doesn't have its own category (yet) 
end 

With these definitions, pages at kaibab . org are assigned two categories: 

Grand Canyon and National Parks. You can add URLs to the Grand Canyon 

category and they are automatically added by implication to the National Parks 
category as well. 

Multiple unrelated categories can also be assigned by CPL. For example, by 
adding: 

define category Webcams 

www2 . nature . nps . gov/air /webcams/parks/grcacam 
end 

the URL, http : // www2 . nature . nps . gov /air /webcams/parks/grcacam/ grcacam.htm, 

will have three categories assigned to it: 

□ Grand Canyon (because it appears in the definition directly) 

□ National Parks (because Grand Canyon is included as a subcategory) 

□ webcams (because it also appears in this definition) 

However, the other sites in the Grand canyon category are not categorized as 
webcams. This can be seen by testing the URL (or any other you want to try) 
clicking the Test button on the Management Console or the test-uri command in 
theCLI. 

You can test for any of these categories independently. For example, the following 
example is a policy that depends on the above definitions, and assumes that your 
provider has a category called Travel into which most national park sites 
probably fall. The policy is intended to prevent access to travel sites during the 
day, with the exception of those designated National Parks sites. But the 
Grand Canyon webcam is an exception to that exception. 

Example: 

<proxy> 

category=Webcams DENY 
category=National_Par ks ALLOW 
category=Travel time =0800.-1800 DENY 

Click the Test button on the Management Console or the test-uri command in 
CLI to validate the categories assigned to any URL. This can help you to ensure 
that your policy rules have the expected effect (refer to "Configuring Policy 
Tracing" in Volume 10: Content Policy Language Guide). 

If you are using policy-defined categories and a content-filter provider at the 
same time, be sure that your custom category names do not coincide with the 
ones supplied by your provider. You can also use the same names — this adds your 
URLs to the existing categories, and extends those categories with your own 
definitions. For example, if the webcam mentioned above was not actually 
categorized as Travel by your provider, you could do the following to add it to the 
Travel category (for the purpose of policy): 
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define category Travel ; extending a vendor category 

www2.nature.nps.gov/air/webcams/parks/grcacam/ ; add the GC webcam 
end 



Note: The policy definitions described in this section can also be used as 
definitions in a local database. See "Configuring a Local Database" on 
page 26 for information about local databases. 



Notes 

□ When you use an expired database, the category unlicensed is assigned to all 
URLs and no lookups occur on the database. This can occur even if your 
download license with the database vendor is still valid, but you have not 
downloaded a database for a long time (databases expire after a certain 
number of days). You can view the date that your database expires (or 
expired) in the download log or by using the view command in the CLI. 

When you download a database, you can see the download log as soon as the 
download is complete. To see the download log when you download a 
database, click Results in the Installation Status dialog when the download is 
complete. 

To see the last download log without doing another download, enter the 
following CLI (config) commands: 

SGOS# (config) content-filter 

SGOS# (config content-filter) view 

□ When your license with the database vendor expires, you can no longer 
download. This does not have an immediate effect — you can still use the 
database you have for a period of time. But eventually, the database expires 
and you receive the category unlicensed, as described above. 

□ If HTTPS Intercept is disabled and a requested HTTPS host is categorized in a 
content filtering database, then filtering applies. However, if the request 
contains a path and the categorization relies on the host/ relative path, content 
filtering only filters on the host name because the path is not accessible. This 
might result in a different categorization than if the host plus path were used. 

□ If you receive an error message when downloading a content filtering 
database, check the error message (in the Management Console, click Results 
on the Installation status dialog; in the CLI, the results message displays in the 
event of an error). If you see an error message such as ERROR: HTTP 401 - 
Unauthorized, verify that you entered your username and password correctly. 
For example, the following error message was generated by entering an 
incorrect username and attempting to download a SmartFilter database: 

Download log: 

SmartFilter download at: Thu, 21 June 2007 18:03:08 
Checking incremental update 
Checking download parameters 
Fetching : http : // example . com/ 

Warning: HTTP 401 - Unauthorized 
Downloading full control file 

SmartFilter download at: Thu, 21 June 2007 18:03:17 
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Downloading from http://example.com/ 
Fetching : http : // example . com/ 

ERROR: HTTP 401 - Unauthorized 
Download failed 
Download failed 
Previous download: 
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Section G: Configuring Websense Off-Box Content Filtering 

This section describes how to configure the ProxySG to communicate with a 
separate Websense server to perform content filtering tasks. This involves creating 
an external service on the ProxySG. 

Note: The ProxySG supports Websense off-box server versions 4.4 and higher. 



To configure Websense Off-box: 

1. In the Management Console, select Configuration > External Services > Websense. 



2a 



Websense 

- Services: — 

Service 




2b 




New 



Edit 



Delete 



2. Add a new service: 

a. Click New. The Add list item dialog displays. 

b. Enter a name for the service. This example uses WS_1. 

c. Click OK to close the dialog and add the Websense service 

3. Click Apply. 

4. Click Edit. The Edit Websense Service dialog displays. 
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5. Configure the service: 

a. From the Websense Version drop-down list, select the version. The 
default is 4.4 and higher; you can also select 4.3. 

b. In the Host field, enter the hostname or IP address of the remote 
Websense server. 

c. In the Port field, enter the port number of the Websense server; or leave 
as is to accept the default (15868). 

d. In the Maximum connections field, enter the maximum number of 
connections. The range is a number from 5 to 4096. The default is 5. 
Blue Coat recommends that the setting not exceed 200. 

e. In the Receive Timeout (seconds) field, enter the number of seconds the 
ProxySG waits for replies from the Websense server. The range is 1 to 
65535 seconds. The default timeout is 20 seconds. 

6. The following settings are optional: 

a. Fail open — If a default Websense service is selected (from the External 
Services > Websense tab), a connection error with the Websense server 
results in requests and responses proceeding, as the default Websense 
service is subjected to policy. 

b. Send: client address — Sends the client IP address to the Websense server. 

c. Send: Authenticated user — Sends user information to the Websense 
server. 
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d. Serve exception page when content is blocked — If the requested content is 
defined by Websense as inappropriate, the client receives a page with 
information stating the content is blocked. When this option is 
selected, the exception page originates from the ProxySG; if not 
selected, the Websense server provides the exception page. 

7. Click OK to close the Websense dialog. To perform a health check on this 
service, see "Performing a Health Check on a Websense Off-Box Service" on 
page 54. 

8. Click Apply to commit the changes to the ProxySG. 

9. (Optional) You can designate a default Websense service to use. On the 

Configuration > External Services > Websense tab, select a service from the Default 
service to use drop-down list. 

Because this is an external service feature, you can create service groups that 
contain two or more Websense services. Then you can point the ProxySG to the 
service group to allow for greater efficiency. See Chapter 4: "Configuring Service 
Groups" on page 95. 

Performing a Health Check on a Websense Off-Box Service 

1. To perform a health check on the Websense service, click Health Check. The 
Confirm Health Check dialog displays. 




2. Make sure that you save changes to any open dialogs before proceeding. 

3. Click OK to perform the health check. When the health check is complete, the 
Health Check Results dialog displays information about the health check. 

4. Click Close to close the Health Check Results dialog. 

Related CLI Syntax to Configure Websense Off-box Content Filtering 

□ To enter configuration mode: 

SGOS# (config) external-services 

□ The following subcommands are available: 
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SGOS# (config 
SGOS# (config 
SGOS# (config 
SGOS# (config 
SGOS# (config 
SGOS# (config 
SGOS# (config 
SGOS# (config 
authenticated- 
SGOS# (config 
SGOS# (config 
SGOS# (config 
SGOS# (config 



external- 

external- 

websense 

websense 

websense 

websense 

websense 

websense 

user} 

websense 

websense 

websense 

websense 



services 

services 

service_ 

service_ 

service_ 

service_ 

service_ 

service_ 

service_ 

service_ 

service_ 

service 



) create websense service_name 
) {edit | delete} service_name 
name) version {4.3 | 4.4} 
name) host {hostname | IP_address} 
name) port port_number 
name) max-conn number 
name) timeout timeout^seconds 
name) send {client-address | 

name) sense-categories 
name) apply-by-default 
name) fail-open 
name) test-url url 
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This chapter describes how to configure the ProxySG to interact with external 
Internet Content Adaptation Protocol (ICAP) clients and servers to provide 
content scanning and transformation. 

Topics in this Chapter 

This chapter includes information about the following topics: 

□ Section A: "About Content Scanning" on page 58 

□ Section B: "Configuring ProxySG ICAP Communications" on page 70 

□ Section C: "Creating ICAP Policy" on page 84 

□ Section D: "Managing Virus Scanning" on page 92 
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Section A: About Content Scanning 

Section A: About Content Scanning 

This section provides conceptual information about anti-virus (AV) scanning and 
the ProxySG solution. 

When integrated with a supported ICAP server, such as the Proxy AV, the 
ProxySG provides content scanning, filtering, and repair service for Internet- 
based malicious code. To eliminate threats to the network and to maintain caching 
performance, the ProxySG sends objects to the ICAP server for checking and 
saves the scanned objects in its object store. With subsequent content requests, the 
appliance serves the scanned object rather than rescanning the same object for 
each request. 

You can scan your data using plain ICAP, secure ICAP or both. Plain ICAP is 
useful for scanning non-confidential data (HTTP) where secure ICAP sends data 
that may be confidential (HTTPS) through a secure data channel. 

Notes 

□ Plain ICAP is faster than secure ICAP because it does not have to deal with 
any encryption overhead. Therefore, Blue Coat recommends that you only use 
secure ICAP when scanning confidential data. 

□ Secure ICAP requires an SSL license. 

Determining Which Files to Scan 

In determining which files to scan, this integrated solution uses the content 
scanning server's filtering in addition to ProxySG capabilities. The following table 
describes the supported content types and protocols. 



Table 3-1 Content Types Scanned By ICAP Server and the ProxySG 



ICAP Server 

supported content types 


ProxySG 

supported protocols 


Unsupported content 
protocols 


All or specified file types, based 
on the file extension, as 
configured on the server. 

Examples: . exe (executable 
programs), . bat (batch 
files), .doc and . rtf (document 
files), and . z ip (archive files); or 
specific MIME types. 


• All HTTP objects 
(uploaded or downloaded) 

• All FTP over HTTP 
(webftp) objects (uploaded or 
downloaded) 

• All native FTP objects 
(uploaded or downloaded) 

The above is true for both 

transparent and explicit proxies. 


• Streaming content (for 
example, RTSP and MMS) 

• Live HTTP streams (for 
example, HTTP radio 
streams) 

• CIFS 

• MAPI 

• IM 

• TCP tunnel traffic 


HTTPS connections terminated at a 
ProxySG 


HTTPS connections tunneled 
through a ProxySG 
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Whenever an object is requested or being refreshed and it was previously 
scanned, the ProxySG verifies whether the pattern file has been updated since it 
was last scanned. If it was, the object is scanned again, even if the content has not 
changed. If the content has changed, the object is rescanned. 

With the ProxySG, you can define flexible, yet enterprise-specific content 
scanning policies, which are discussed in the following two sections. 

Workflow Tasks 

Table 3-2 provides a high-level view of workflow tasks for configuring ProxySG 
ICAP communications. It also provides task descriptions. 



Table 3-2 Workflow Tasks-Configuring ProxySG ICAP Communications 



Task 


Task Description 


1. Install the ICAP server 


Follow the manufacturer instructions for installing 
the ICAP server, including any configuration 
necessary to work with the ProxySG. 

Based on your network environment, you might use 
the ProxySG with multiple ICAP servers or multiple 
scanning services on the same server. Configure 
options as needed, including the exception message 
displayed to end users in the event the requested 
object was modified or blocked. 


2. Decide whether to scan data 


Scan data using the plain ICAP method, secure ICAP 


using plain ICAP or secure 


method or both. 


ICAP 


• Plain ICAP should be used only for non- 
confidential data. In particular, if plain ICAP is 
used for intercepted HTTPS traffic, then data 
intended to be cryptographically secured would 
be transmitted in plain text on the local network. 

• Secure ICAP send data through a secure data 
channel. This method protects the integrity of 
messages that are sent between the ProxySG and 
the ICAP server while it allows users to 
authenticate ICAP servers by enabling certificate 
verification. 
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Table 3-2 Workflow Tasks-Configuring ProxySG ICAP Communications (Continued) 



Task 


Task Description 


3. Create an SSL device profile 
on the ProxySG 
(Optional — secure ICAP 
only) 


Create an SSL device profile to authorize the ICAP 
server if you use secure ICAP. 

Select: 

ProxySG Management Console: SSL > Device 
Profiles. Select the Verify Peer option on the Edit 
menu for the desired server. 


Note: When the Verify Peer option is enabled, 

the ProxySG must have the ICAP server 
certificate installed as trusted under External 
certificates. Otherwise, the ProxySG fails to 
verify the ICAP server as a trusted server. 




4. Create and configure new or 
existing ICAP services 


Create an ICAP service that specifies the ICAP server 
IP address and supported connections. Configure 
the services including the scanning method and 
whether to use deferred scanning. 

See "Creating an ICAP Service" on page 70. 


5. Specify the feedback method 


Select patience pages or data trickling for feedback 
method. 

See "Configuring ICAP Feedback" on page 76. 


6. Define scanning policies, then 
load the policy file on the 
ProxySG 


Decide which scanning policies your configuration 
needs. 

See "Creating ICAP Policy" on page 84 


7. Add ICAP rules to policy 


Depending on the configuration, add ICAP rules to 
policy. 

request. icap service ( server name) 
response . icap service ( server name) 

See "Creating ICAP Policy" on page 84 



About Response Modification 

The ProxySG sends the first part (a preview) of the object to the ICAP server that 
supports response modification. The object preview includes the HTTP request 
and response headers, and the first few bytes of the object. After checking those 
bytes, the ICAP server either continues with the transaction (that is, asks the 
ProxySG to send the remainder of the object for scanning) or sends a notification 
to the appliance that the object is clean and opts out of the transaction. 
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The ICAP server features and configuration determine how scanning works, 
including the following: 

□ Handling of certain objects, including those that are infected and cannot be 
repaired 

□ Whether to attempt to repair infected files 

Note: The Proxy AV does not attempt to repair the file. 

□ Whether to delete infected files that cannot be repaired from the ICAP server's 
archive 

The following diagram illustrates the response modification process flow. 





Legend 
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Process Flow 

1: (Blue arrow) Client 1 requests a Web page. 

2: The ProxySG retrieves the requested Web page from a content server. 

3: The ProxySG forwards the Web page (objects) to the ProxyAV for content scanning. The 
contents (possibly modified if exceptions occur) is returned to the ProxySG. Clean content 
is stored in the cache from which future requests are served. 

4: Policy check. Evaluates how exceptions and other errors are processed. 

5: (Blue arrow) The content is clean and allowable and the request is allowed to continue to 
its destination for full retrieval. 

6. (Red arrow) A virus or other exception occurred and the client is notified with an HTTP 
message. 



Figure 3-1 Response Modification Process Flow 



About Request Modification 

Request modification means the ICAP server scans contents that a client is 
attempting to send outside the network. This prevents unaware users from 
forwarding corrupted files or Webmail attachments. Request modification is also 
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a method of content filtering and request transformation, which is used to protect 
network identification. Based on the results of the scan, the server might return an 
HTTP response to the client (for example, sports not allowed); or the client 
request might be modified, such as stripping a referrer header, before continuing 
to the origin content server. 



Note: Some ICAP servers do not support virus scanning for request modification, 
but support only content filtering. 



The following diagram illustrates the request modification process flow. 
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Process Flow 

1: (Blue arrow) Client 1 requests a Web page. 

2: The ProxySG forwards content to the ProxyAV for scanning services (which can vary based 
on the ICAP server configuration). The ProxyAV identifies a virus within the attachment and 
returns the results to the ProxySG. 

3: Client 1 receives an exception message that the infected attachment was identified and 
stripped. 



Figure 3-2 Request Modification Process Flow 



Returning the Object to the ProxySG 

For response modification, the returned object can be the original unchanged 
object, a repaired version of the original object minus a virus, or an error message 
indicating that the object contained a virus. Each of these responses is configured 
on the ICAP server, independent of the appliance and the ICAP protocol. If the 
appliance receives the error message, it forwards the error message to the client 
and does not save the infected file. 



Note: For request modification, an object is never returned, regardless of whether 
it is infected or clean. 
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Caching and Serving the Object 

After an object has been scanned and is determined to be cacheable, the ProxySG 
saves it and serves it for the subsequent content requests. When the appliance 
detects that the cached content has changed on the origin server, it fetches a fresh 
version, then forwards it to the ICAP server for scanning. If the ProxySG uses 
policies in the ICAP configuration, the policy applies to content fetches, 
distributions, refreshes, and pipelining fetches. 

For more information on policies, see Section C: "Creating ICAP Policy" on page 
84. For more information on the <cache> layer, refer to Volume 10: Content Policy 
Language Guide. 

ICAP vl.O Features 

This section describes features of the ICAP vl.O protocol. 

Sense Settings 

The Sense Settings feature allows the ProxySG to query any identified ICAP 
server running vl.O, detect the parameters, and configure the ICAP service as 
appropriate. See "Creating an ICAP Service" on page 70. 

ISTags 

Am ICAP vl.O server is required to return in each response an ICAP header ISTag, 
which indicates the current state of the ICAP server. This eliminates the need to 
designate artificial pattern version numbers, as is required in v0.95. 



Note: Backing out a virus pattern on the ICAP server can revert ISTags to 
previous values that are ignored by the ProxySG. To force the ProxySG to 
recognize the old values, use the Sense Settings option, which is described in the 
configuration section. 



Persistent Connections 

New ICAP connections are created dynamically as ICAP requests are received (up 
to the defined maximum connection limit). The connection remains open to 
receive subsequent requests. If a connection error occurs, the connection closes to 
prevent more errors. 
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Improving the User Experience 

Object scanning adds another operation to the user process of requesting and 
receiving Web content. Therefore, the user might experience extremely slight 
noticeable delays during Web browsing as ICAP servers scan content. The 
ProxySG allows you to mitigate slower browse times and educate your users 
about what is occurring on their systems. This section discusses: 

□ Patience pages 

□ Data trickling 

□ Deferred scanning and infinite streams 

About Patience Pages 

Patience pages are HTML pages displayed to the user if an ICAP content scan 
exceeds the specified duration (seconds). You can configure the content of these 
pages to include a custom message and a help link. Patience pages refresh every 
five seconds and disappear when object scanning is complete. 

Notes 

□ Patience pages are not compatible with infinite stream connections — or live 
content streamed over HTTP — such as a cam or video feed. ICAP scanning 
cannot begin until the object download completes. Because this never occurs 
with this type of content, the ProxySG continues downloading until the 
maximum ICAP file size limit is breached. At that point, the ProxySG either 
returns an error or attempts to serve the content to the client (depending on 
fail open/ closed policy). However, even when configured to fail open and 
serve the content, the delay added to downloading this large amount of data 
is often enough to cause the a user give up before reaching that point. 

□ Patience pages are limited to Web browsers. 

About Data Trickling 

Patience pages provide a solution to appease users during relatively short delays 
in object scans. However, scanning relatively large objects, scanning objects over a 
smaller bandwidth pipe, or high loads on servers might disrupt the user 
experience because connection time-outs occur. To prevent such time-outs, you 
can allow data trickling to occur. Depending on the trickling mode you enable, the 
ProxySG either trickles — or allows at a very slow rate — bytes to the client at the 
beginning of the scan or near the very end. 

The ProxySG begins serving server content without waiting for the ICAP scan 
result. However, to maintain security, the full object is not delivered until the 
results of the content scan are complete (and the object is determined to not be 
infected). 



Note: This feature is supported for the HTTP proxy only; FTP connections are not 
supported. 
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Trickling Data From the Start 

In trickle from start mode, the ProxySG buffers a small amount of the beginning of 
the response body. As the ICAP server continues to scan the response, the 
ProxySG allows one byte per second to the client. 




LEGEND: 



1 : After 5 seconds (default), trickling begins. 

2: The response is received from the ICAP server (clean), and the client receives the 
remaining bytes at the best connection possible. 



Figure 3-3 A client receives only the initial bytes of a transaction during the ICAP scan. 
After the ICAP server completes its scan: 



□ If the object is deemed to be clean (no response modification is required), the 
ProxySG sends the rest of the object bytes to the client at the best speed 
allowed by the connection. 

□ If the object is deemed to be malicious, the ProxySG terminates the connection 
and the remainder of the response object bytes — which in this case are the 
majority of the bytes — are not sent to the client. 



Deployment Notes 

□ This method is the more secure option because the client receives only a small 
amount of data pending the outcome of the virus scan. 

□ One drawback is that users might become impatient, especially if they notice 
the browser display of bytes received. They might assume the connection is 
poor or the server is busy, close the client, and restart a connection. 

Trickling Data at the End 

In trickle at end mode, the ProxySG sends the response to the client at the best 
speed allowed by the connection, except for the last 16 KB of data. As the ICAP 
server performs the content scan, the ProxySG allows one byte per second to the 
client. 
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LEGEND: 

1 : After 5 seconds (default), the ICAP scan begins, but the client begins receiving bytes at 
the best connection possible. 

2: Trickling begins for the final 16K of data. 

3: The response is received from the ICAP server (clean), and the client receives the 
remaining bytes. 

Figure 3-4 A client receives most of the bytes immediately during the ICAP scan. 

After the ICAP server completes its scan, the behavior is the same as described in 

"Trickling Data From the Start" on page 65. 

Deployment Notes 

□ Blue Coat recommends this method for media content, such as flash objects. 

□ This method is more user-friendly than trickle at start. This is because users 
tend to be more patient when they notice that 99% of the object is downloaded 
versus 1%, and are less likely to perform a connection restart. However, 
network administrators might perceive this method as the less secure method, 
as a majority of the object is delivered before the results of the ICAP scan. 

General Deployment Notes 

This section provides information about data trickling deployments. 

Deciding between Data Trickling and Patience Pages 

ProxySG configuration options plus policy allow you to provide different ICAP 

feedback actions depending upon the type of traffic detected: 

□ Blue Coat defines interactive as the request involving a Web browser. Web 
browsers support data trickling and patience pages. 

□ Non-interactive traffic originates from non-browser applications, such as 
automatic software download or update clients. Such clients are not 
compatible with patience pages; therefore, data trickling or no feedback are 
the only supported options. 
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Based on whether the requirements of your enterprise places a higher value either 
on security or availability, the ProxySG allows you to specify the appropriate 
policy However, you must also consider the user agents involved when 
determining the appropriate feedback method. For example, streaming clients 
cannot deliver patience pages, but they are susceptible to connection time-outs. 
Therefore, trickling is the suggested method. The following diagram provides 
basic guidelines for deciding which feedback method to implement. 




Figure 3-5 Deciding which ICAP feedback method to employ. 



Proxy Chaining Deployments 

Proxy chaining deployments are common in enterprises, especially in core/ 
branch office scenarios. Data trickling is achievable, but behavior is dependent 
upon how the ProxySGs are configured. The following are common deployment 
scenarios. 

□ The downstream ProxySG is performing ICAP scanning, and the upstream ProxySG is 
not: Data trickling and patience pages are not affected in this scenario. 
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□ The upstream ProxySG is performing ICAP scanning, and the downstream ProxySG is 
not: The only issue with this deployment is that user agent-specific policy 
cannot be applied at the core ProxySG because the branch ProxySG 
consolidates multiple client requests in one out-going request to the upstream 
ProxySG. If data trickling is employed at the upstream ProxySG and if ICAP 
scanning detects a virus, the upstream ProxySG resets the client connection. 
This also deletes the corrupted object from the downstream ProxySG cache. 

□ Both ProxySG appliances (upstream and downstream) are scanning: Behavior is 
mostly determined by the configuration of the upstream ProxySG. 

• If the upstream ProxySG is configured to deliver patience pages, then the 
downstream ProxySG also attempts to serve patience pages, including to 
non-graphical user agents. Therefore, this method is not recommended. 

• If the upstream ProxySG employs data trickle from start, the downstream 
ProxySG is not able to send any bytes to the client for a long period of 
time. If a patience page is not configured on the downstream ProxySG, 
users might experience connection time-outs. 

• If the upstream ProxySG employs trickle at end, the downstream ProxySG 
allows for all options of patience page and data trickling. 

Avoiding Network Outages due to Infinite Streaming Issues 

Infinite streams are connections such as web cams or flash media — traffic over an 
HTTP connection — that conceivably have no end. Characteristics of infinite 
streams may include no content length, slow data rate and long response time. 
Because the object cannot be fully downloaded, the ICAP content scan cannot 
start; however, the connection between the ProxySG and the Proxy AV remains, 
which wastes finite connection resources. 

The deferred scanning feature solves the infinite streaming issue by detecting 
ICAP requests that are unnecessarily holding up ICAP connections (without 
requiring the Proxy AV) and defers those requests until the full object has been 
received. 

How Deferred Scanning Works 

Deferred scanning detects the possibility of infinite streams by the fact that the 
number of ICAP resources in use has reached a certain threshold. It then defers 
the scanning of those streams by deferring the oldest, outstanding ICAP requests 
first. For every new ICAP request, the ProxySG does the following: 

□ If the total number of outstanding ICAP actions for the current server has 
reached the defer threshold, the ProxySG defers the oldest ICAP connection 
that has not yet received a full object. 

The defer threshold is specified by the administrator as a percentage. For 
example, if the defer threshold is set to 70 percent and the maximum connections 
are set to 100, then up to 70 connections are allowed before the ProxySG begins to 
defer connection which have not finished downloading a complete object. 
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Note: See "Creating an ICAP Service" on page 70 for information about setting 
the defer scanning threshold value on the ProxySG Management Console. 



When an ICAP connection is deferred, the connection to the ICAP server is closed. 
The application response continues to be received and when the download is 
complete the ICAP request is restarted. The new ICAP request may still be 
queued if there are no available ICAP connections. Once a request is deferred, 
ICAP waits to receive the full object before restarting the request. If there is a 
queue when a deferred action has received a complete object, that action is 
queued behind other deferred actions that have finished. However it will be 
queued before other new requests. 

Deferred Scanning and Setting the Feedback Options 

Depending on how you configure the ICAP feedback option (patience page or 
data trickling) and the size of the object, deferred scanning may cause a delay in 
ICAP response because the entire response must be sent to the ICAP server at 
once. The feedback option allows you to specify the type of feedback you want to 
receive during an ICAP scan. For information about setting feedback options, see 
"Configuring ICAP Feedback" on page 76. 

If a patience page is configured, the browser continues to receive a patience page 
until the object is fully received and the outstanding ICAP actions have 
completed. 

If the data trickle options are configured, the object continues to trickle during 
deferred scanning. However, due to the trickle buffer requirement, there may be a 
delay, with or without deferred scanning, before the ProxySG starts sending a 
response. 

About ICAP Server Failover 

When creating an ICAP action, you can specify a list of ICAP servers or groups to 
use, in order of preference. If the first server or group in the list does not pass the 
health checks, the ProxySG moves down the list until it finds a server or group 
that is healthy and uses that to perform the scanning. 

The primary server resumes ICAP processing when the next health check is 
successful; the standby server or server group does not retain the primary 
responsibility. 

Notes 

□ Failover is configured as part of the ICAP policy definition. 

□ You cannot configure failover policy until ICAP services are configured on the 
ProxySG. 

□ To avoid errors, ICAP service names cannot be named fail_open or fail_closed 
(the CLI commands prevent these names from being created). 
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Section B: Configuring ProxySG ICAP Communications 

This section describes how to configure the ProxySG to communicate with an 
ICAP server to perform content scanning tasks. 

Creating an ICAP Service 

Am ICAP service on the ProxySG is specific to the ICAP server and includes the 
server IP address or hostname, ICAP method as well as the supported number of 
connections. If you are using the ProxySG with multiple ICAP servers or multiple 
scanning services on the same server, add an ICAP service for each server or 
scanning service. 

To create and configure an ICAP service: 

1. Select Configuration > External Services > ICAP Services. 



2a 



2b 



ICAP Services 

Services: 



ICAP Feedback 



ICAP Patience Page 



Service 
resource 1 



testl 



Response 1 



Edit 



Delete 



Add list item 



Preview 



Unsaved chain 



, Inc All rights reserv 



Add ICAP Service 



' Response 1 



OK 



3 



Cancel 



2. Add a new service: 



a. Click New; the Add List Item dialog displays. 

b. Enter an alphanumeric name in the Add ICAP Service field. This 
example uses Responsel. 

c. Click OK. The new ICAP object displays in the services list. 

3. Highlight the new ICAP service name and click Edit. The Edit ICAP Service 
dialog displays. 
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4a-f 




4. Configure the service communication options: 



Note: The default ICAP version is 1.0 and cannot be changed. 



a. In the Service URL field, enter the ICAP server URL (Proxy AV), which 
includes the URL schema, ICAP server hostname or IP address. For 
example: 

icap : //10 . x . x. x/ 

b. In the Maximum Number of Connections field, enter the maximum 
possible connections at any given time that can occur between the 
ProxySG and the ICAP server. The range is a number from 1 to 65535. 
The default is 5. The number of recommended connections depends on 
the capabilities of the ICAP server. Refer to the vendor's product 
information. 
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Note: An ICAP service pointing to a Web Washer server must use icap 
as the protocol in the URL. Blue Coat also recommends that you review 
your specific ICAP server documentation, as each vendor might require 
additional URL information 



c. In the Connection timeout field, enter the number of seconds the 
ProxySG waits for replies from the ICAP server. The range is 1 to 
65535. The default timeout is 70 seconds. 

d. Select Defer scanning at threshold to set the threshold at which the 
ProxySG defers the oldest ICAP connection that has not yet received a 
full object. The range is 0 percent - 100 percent. By default, the 
deferred scanning threshold is disabled when an ICAP service is 
created. When enabled, the defer threshold scanning defaults to 80 
percent. 

e. Select Notify administrator when virus detected to send an e-mail to the 
administrator if the ICAP scan detects a virus. The notification is also 
sent to the Event Log and the Event Log e-mail list. 

f. Select Use vendor’s “virus found” page to display the default vendor error 
exception page to the client instead of the ProxySG exception page. 

This is the default behavior for SGOS upgrades from previous versions. 
This feature maintains the same appearance of previous versions, but also 
retains the inherent timestamp issues involved with cache hits. If this 
option is not selected, the exception pages originate from the ProxySG, 
and they employ the accurate timestamps for cache hits. 
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0 response modification 
0 request modification 
500 | 0 enabled 

0 Client address 0 Server address 

0 Authenticated user 0 Authenticate 



5. Configure service ports for plain ICAP and secure ICAP. You can enable one 

or both types of ICAP connections at the same time. However, you must select 

at least one type of ICAP service. 

a. Select This service supports plain ICAP connections to use plain ICAP. Use 
plain ICAP when you are scanning plain data (HTTP). In this case, if 
the HTTPS proxy is enabled on the ProxySG, the data is decrypted first 
on the ProxySG and then sent to the ICAP server. 

b. In the Plain ICAP port field, enter a port number. The default port is 1344. 

c. Select This service supports secure ICAP connections to use secure ICAP. 

Use secure ICAP when you are scanning sensitive or confidential data 
(HTTPS). 

d. In the Secure ICAP port field, enter a port number. The default port is 
11344. 

e. If you selected secure ICAP, make sure that you select a valid SSL 
profile for secure ICAP in the SSL Device Profile field. This associates an 
SSL device profile with the secure ICAP service. 



5a -e 



Method supported: 

Preview size (bytes): 
Send: 



ICAP server tag: 



Note: If you do not select an SSL device profile you cannot use secure 
ICAP connections. The SSL device profile can be customized for your 
environment. For more information, refer to Volume 4: Securing the Blue 
Coat ProxySG Appliance. 
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6. Configure ICAP vl.O features: 

a. (Optional) Click Sense Settings to automatically configure the ICAP 
service using the ICAP server parameters. 

b. Select the ICAP method: response modification or request 
modification. 



Note: Am ICAP server might have separate URLs for response 
modification and request modification services. 



c. In the Preview size (bytes) field, enter a byte value and select enabled. The 
ICAP server reads the object up to the specified byte total. The ICAP 
server either continues with the transaction (that is, receives the 
remainder of the object for scanning) or opts out of the transaction. 

The default is 0. Only response headers are sent to the ICAP server; more 
object data is only sent if requested by the ICAP server. 

d. (Optional) The Send options allow additional information to be 
forwarded to the ICAP server. Select one or more of the following: 

Client address. Server address. Authenticated user, or Authenticated groups. 

e. Click Health check to perform an immediate health check on this 
service. 

f. Click OK to close the dialog. 

7. Click Apply. 

See Also 

"About Content Scanning" on page 58 
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"Workflow Tasks" on page 59 

"Avoiding Network Outages due to Infinite Streaming Issues" on page 68 
"Configuring ProxySG ICAP Communications" on page 70 
"Creating ICAP Policy” on page 84 
"Managing Virus Scanning" on page 92 

Managing ICAP Health Checks 

ProxySG health check features allow you to perform tasks such as immediate 
checking, disable health checks, and override various notifications and settings. 

To manage ICAP health checks: 

1. Select Configuration > Health Checks > General. 




2. Select an ICAP service or service group. 

3. Click Perform health check to get an immediate connection status for the 

Proxy AV or service group. 

4. Click Edit to display the Edit ICAP Health Check dialog. 

5. Select the Enabled state: 

• Enabled: Marks the ICAP service or group as enabled and functioning. 

• Disabled, reporting as healthy: Marks the ICAP service as healthy, but not able 
to receive connections. One reason to select this option is to preserve 
current statistics; the disabled state is temporary. 

• Disabled, reporting as sick: Marks the ICAP service as down and not able to 
receive connections. One reason to select this is that you are taking the 
server offline for maintenance or replacement. 

6. Click Apply. 

The Health Check chapter in Volume 5: Advanced Networking provides more 

detailed information about all of the health check configuration options, 

including override features. 
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Deleting an ICAP Service 

The following steps describe how to delete an ICAP service. 

Note: You cannot delete an ICAP service used in an ProxySG policy (that is, if a 
policy rule uses the ICAP service name) or that belongs to a service group. 

To delete an ICAP service: 

1. Select Configuration > External Services > ICAP. 

2. Select the service to be deleted. 

3. Click Delete; click OK to confirm. 

4. Click Apply. 

Configuring ICAP Feedback 

This section describes how to specify what type of feedback is provided to users 
during an ICAP scan. See "Improving the User Experience" on page 64. 

To specify and configure the ICAP feedback method: 

1. Select Configuration > External Services > ICAP > ICAP Feedback. 
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2. Configure options for interactive traffic (browser-based requests): 

a. The Do not provide feedback... option means that if users experience 
delays in receiving content, they are not notified as to the reason (ICAP 
scanning). Selecting this option greys out the other options. 

b. The default duration to wait before notifying a client that an ICAP 
scan is occurring is five seconds. You can change this value in the 
Provide feedback after field, but if you make the value too long, users 
might become impatient and manually close the client, believing the 
connection is hung. 

c. Select the feedback method: 

• Return patience pages: The client displays a Web page to the user 
providing a description of the delay (ICAP scanning). This page is 
customizable, as described in the next section. 



Note: When the deferred scanning option is enabled when a patience 
page is configured, the browser continues to receive a patience page until 
the object is fully received and the outstanding ICAP actions have 
completed. 



• Trickle object data from start: The client receives 1 byte per second, 
which should prevent connection time-outs while the ICAP server 
performs the scan. If the response from the ICAP server is clean, the 
client receives the rest of the object data at the best connection speed 
possible. If the scan detects malicious content, the connection is 
dropped. This is the more secure method. 
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• Trickle object data at end: The client receives most (99%) of the object 
data, but the final bytes are sent at the rate of one per second while the 
ICAP scanner performs the scan. If the response from the ICAP server 
is clean, the client receives the rest of the object data at the best 
connection speed possible. If the scan detects malicious content, the 
connection is dropped. This is the least secure method, as most of the 
data has already been delivered to the client. However, this method 
provides the best user experience because there most of the object is 
already delivered. 



Note: When deferred scanning is enabled and the data trickle options are 
configured, the object continues to trickle during deferred scanning. 
However, due to the trickle buffer requirement, there may be a delay 
before the ProxySG starts sending a response. 



3. Configure options for non-interactive traffic (content such as flash animation 
over HTTP): 

a. The Do not provide feedback... option means that if users experience 
delays in receiving content, they are not notified as to the reason (ICAP 
scanning). Selecting this option greys out the other options. 

b. The default duration to wait before notifying a client that an ICAP 
scan is occurring is five seconds. You can change this value in the 
Provide feedback after field, but if you make the value too long, users 
might become impatient and manually close the client, believing the 
connection is hung. 

c. Select the feedback method: 

• Trickle object data from start: See the descriptions in Step 2. 

• Trickle object data at end: See the descriptions in Step 2. 

4. Click Apply. 

These configurations are global. You can define further feedback policy that 
applies to specific user and conditional subsets. In the VPM, the object is located 
in the Web Access Layer: Return ICAP Feedback. 

Customizing ICAP Patience Text 

This section describes how to customize text displayed during ICAP scanning. 
Patience pages are displayed if the appropriate option is selected, as described in 
the previous section: "Improving the User Experience" on page 64. 

HTTP Patience Text 

The ProxySG allows you to customize the patience page components and text that 
are displayed to users when HTTP clients experience delays as Web content is 
scanned. 
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To customize HTTP patience pages: 

1. Select Configuration > External Services > ICAP > ICAP Patience Page. 



ICAP Services ICAP Patience 

HTTP Patience Page Customization: — 



Page 



2a 


-H 


Header 


2b 


-^l 


Summary 


2c — 


H 


Details 


2d 


-l 


Help 



l_i eac j er | Customize the patience HTML header 



Customize the patience help 



r FTP Patience Page Customization: 



Summary 



Customize the FTP patience text 



2. In the HTTP Patience Page Customization section, click Header, Summary, Details, or 

Help. The corresponding customize dialog displays. Customize the 
information as appropriate. 



- Custom Patience Header: 

<title>Please be patient</title> 

<meta http - e quiv= " content -type 11 content="text/html; charset=IS 
0 8859 - 1 " >■ 



a. Custom Patience Header — Contains HTML tags that define what 

displays in the dialog title bar. This component also contains the <meta 
http-equiv> tag, which is used to specify a non-English character set. 



- Custom Patience Summary Message: 

Your content request is experiencing a slight delay while it 
is scanned for malicious content or viruses. If the content 
is determined clean, you will receive the request. Pleae be 
patient . 

* 



b. Custom Patience Summary Message — HTML and text that informs users 
that a content scan is occurring. 
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Custom Patience Details Message: 



<td valign="top" width="30% ">URL: </td> 
<td valign="top">$ (url) </td> 




<tr> 

<td valign="top" width="30$ ">Time elapsed: </td> 
<td valign="top">$ (patience_time ) </td> 



v 



c. Custom Patience Details Message — Uses data to indicate scanning 

progress. The information includes the URL currently being scanned, 
the number of bytes processed, and the elapsed time of the scan. 



d. Custom Patience Help Message — Displays instructions for users should 
they experience a problem with the patience page. 

3. Click Apply. 

All of these components are displayed on the patience page. 

Windows XP, Service Pack 2 Behavior 

Microsoft is continually updating Windows XP security measures, which impacts 

how the ProxySG manages patience pages. 

□ Browsers running on Windows XP, Service Pack 2 (XP SP2), experience 
slightly different patience page behavior when pop-up blocking is enabled. 

• If pop-up blocking is not enabled, patience page behavior should be normal. 

• If pop-up blocking is enabled (the default), the ProxySG attempts to display the 
patience page in the root window. 

• If the download triggers an invisible Javascript window, the user can track the 
scanning progress with the progress bar at the bottom of the window; however, if 
other policy blocks Javascript active content, this bar is also not visible. 

□ If Internet Explorer blocks all downloads initiated by Javascript, the user must 
click the yellow alert bar to download the scanned object. 

□ Users experience two patience page responses for non-cacheable objects. 



Custom Patience Help Message: 



If your browser does not support automatic refresh, 
click the following link to download the scanned object. 

<a href="$ (patience_url) ">Continue</a> 

<p><strong>Note: </strong> i^osing this window terminates the 
download. </p> 



■Coni 
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Section B: Configuring ProxySG ICAP Communications 

Interactivity Notes 

□ When ICAP scanning is enabled and a patience page is triggered, a unique 
URL is dynamically generated and sent to the browser to access the patience 
page. This unique URL might contain a modified version of the original URL. 
This is expected behavior. 

□ Patience pages and exceptions can only be triggered by left-clicking a link. If a 
user right-clicks a link and attempts to save it, it is not possible to display 
patience pages. If this action causes a problem, the user might see browser- 
specific errors (for example, an Internet site not found error); however, ICAP 
policy is still in effect. 

□ A patience page is not displayed if a client object request results in an HTTP 
302 response and the ProxySG pipelines the object in the Location header. 
After the ProxySG receives the client request for the object, the client enters a 
waiting state because a server-side retrieval of the object is already in 
progress. The wait status of the client request prevents the patience page from 
displaying. To prevent the ProxySG from pipelining these requests (which 
decreases performance) and to retain the ability to provide a patience page, 
configure HTTP as follows: 

#SGOS (config) http no pipeline client redirects 

□ The status bar update does not work if it is disabled or if the Javascript does 
not have sufficient rights to update it. 

□ Looping: Certain conditions cause browsers to re-spawn patience pages. For 
example, a site states it will begin a download in 10 seconds, initiates a pop-up 
download window, and returns to the root window. If the download window 
allows pop-ups, the patience page displays in a separate window. The 
automatic return to the root window initiates the download sequence again, 
spawning another patience page. If unnoticed, this loop could cause a system 
hang. The same behavior occurs if the user clicks the back button to return to 
the root window. For known and used download sites, you can create policy 
that redirects the page so that it doesn't return to the root window after a 
download starts. 

FTP Patience Text 

For content over FTP, the patience text displayed to FTP clients during an ICAP 

scan can be modified. 

To customize FTP patience text: 

1. Select Configuration > External Services > ICAP > ICAP Patience Page. 
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ICAP Services 


ICAP Patience Page 




r HTTP Patience Page Customization: 




Header 


I Customize the patience HTML header 




| Summary 


Customize the patience summary 




Details 


Customize the patience details 




Help 


| Customize the patience help 




r FTP Patience Page Customization: 




-o [ Summary 


| Customize the FTP patience text 



2. In the FTP Patience Page Customization field, click Summary; the Customize FTP 
Patience Text dialog displays. Customize the FTP client patience text as 
appropriate. 

3. Click OK. 

4. Click Apply. 



Related CLI Syntax to Manage ICAP Communications 

□ To enter configuration mode: 

SGOS# (config) external-services 

□ The following subcommands are available: 



SGOS# (config external-services) 

SGOS# (config external-services) 

SGOS# (config icap service_name) 

SGOS# (config icap service^name) 

SGOS# (config icap service^name) 

SGOS# (config icap service_name) 

SGOS# (config icap service_name) 

SSGOS# (config icap service_name) preview-size bytes 



create icap service_name 
edit service name 

url icap ://url 
max- conn number 
timeout timeout_seconds 

notify virus-detected 
methods { REQMOD | RESPMOD } 



SGOS# (config icap servicename) 

address } 

SGOS# (config icap servicename) 
authenticated-groups } 

SGOS# (config icap service_name) 
SGOS# (config icap servicename) 
SGOS# (config icap servicename) 
(config icap service name) 
(config icap service name) 
(config icap service name ) 
(config icap service name) 
(config icap service name) 
(config icap service name) 
(config external-service) 



send {client-address | s€ 
send { authenticated-user 



SGOS# 

SGOS# 

SGOS# 

SGOS# 

SGOS# 

SGOS# 

SGOS# 

SGOS# 

header 



sense- settings 
patience-page seconds 
ssl-device-prof ile profile-name 
port {port | default; 
no port { port I default; 
secure-port 
no secure-port 
use-vendor-virus-page 

defer-threshold defer threshold value 
delete service name 



(config external-services) inline http icap-patience {details | 
| help | javascript | summary} eof 
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SGOS# (config external-services) inline ftp icap-patience-text eof 
SGOS# (config external-services) icap feedback interactive patience- 
page {seconds) 

SGOS# (config external-services) icap feedback {interactive | non- 
interactive} {trickle-start | trickle-end | none }{ seconds) 
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Section C: Creating ICAP Policy 

Section C: Creating ICAP Policy 

Defined ICAP policy dictates the anti-virus and ICAP server failover behavior for 
your enterprise. You can either use the Visual Policy Manager (VPM) or you can 
manually edit policy files. For more information on the VPM and defining 
policies, refer to Volume 6: The Visual Policy Manager and Advanced Policy. 

Use the request . icap service ( ) (request modification) or 

response. icap_service ( ) (response modification) properties to manage the 

ProxySG ICAP services. 

VPM Objects 

The VPM contains the following objects specific to AV scanning (linked to their 
descriptions in the VPM chapter). 

Table 3-3 AV Scanning Objects 



Object 


Layer>Column 


Virus Detected 


Web Access>Service 


ICAP Error Code 


Web Access>Service 


Return ICAP Feedback 


Web Access>Action 


Set ICAP Request Service 


Web Access>Action 


Set ICAP Request Service 


Web Content>Action 


Set ICAP Response Service 


Web Content>Action 



Note: For CPL policy, refer to Volume 10: Content Policy Language Guide. 



Example ICAP Scanning Policy 

The following VPM example demonstrates the implementation of an ICAP policy 

that performs virus scanning on both client uploads (to prevent propagating a 

virus) and responses (to prevent the introduction of viruses), and provides 

failover with backup ICAP services. 

For this example: 

□ The ProxySG has configured ICAP services. The response service is 
avresponsel and the request service is avrequestl. 

□ Two backup response services are configured: avreponse2 and avresponse3. 

□ The Proxy AV is the virus scanner and it is configured to serve password- 
protected files. 

□ A group named IT is configured on the ProxySG. 

□ The IT group wants the ability to download password protected files, but 
deny everyone else from doing the same. 
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To perform virus scanning, protecting both the server side and the client side: 

1. In the VPM, select Policy > Web Access Layer. Name the layer RequestAV. 

2. Right-click the Action column; select Set. The Set Action Object dialog displays. 

3. Click New. 

4. Select Set ICAP Request Service; the Add ICAP Request Service Object dialog 
displays. 




5a 



5b 



5c 



5d 



5. Configure the request service object: 

a. Select Use ICAP request service. 

b. Select the ICAP mode If available use secure ICAP connections for encrypted 
responses. This mode uses plain ICAP for HTTP traffic and secure 
ICAP for HTTPS traffic. This is the default mode. 



The Always use secure ICAP connections mode uses secure ICAP for all traffic 
(both HTTP and HTTPS). The Always use plain ICAP connection mode uses 
plain ICAP for all traffic (both HTTP and HTTPS). 
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c. From the Available services field, select the avrequestl and click Add. This 
moves the service name to the Selected failover sequence field. 

d. Accept the default: Deny the client request. This prevents a client from 
propagating a threat. If a virus is found, the content is not uploaded. 
For example, a user attempts to post a document that has a virus and is 
denied. 

e. Click OK; click OK again to add the object to the rule. 



RequestAvj 

No. Source Destination Service Time Action Track Comment 

1 |Any |Any |Any |Any |£» RequestAV |None 

Figure 3-1. Request 

6. In the VPM, select Policy > Add Web Content Layer. Name the rule ResponseAV. 

7. Right-click the Action column; select Set. The Set Action Object dialog displays. 

8. Click New. 

9. Select Set ICAP Response Service; the Add ICAP Response Service Object dialog 
displays. 
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10a 



10b 



10c 



lOe 



10. Configure the response service object: 

a. Select Use ICAP response service. 

b. Select the ICAP mode. If available use secure ICAP connections for 
encrypted requests. 

c. Select avresponsel and click Add. 

d. Repeat Step b for to add the additional failover services. 

e. Select Deny the client request. This scans the responses for viruses before 
the object is delivered to the client. If a virus is found, the content is not 
served. 

f. Click OK; click OK again to add the object to the rule. 

To log a detected virus: 

1. In the VPM, select Policy > Web Access Layer. Name the layer AVErrors. 
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2. Right-click the Service column; select Set. The Set Service Object dialog 
displays. 

a. Select Virus Detected (static object). 

b. Click OK to add the object to the rule. 

3. Right-click the Action column. Select Deny. 

4. Right-click the Track column. Select Set; the Set Track Object dialog displays. 

a. Click New; select Event Log. The Event Log dialog displays. 

b. In the Name field, enter VirusLogl. 

C. From the scroll-list, select icap_virus_details, localtime, and client- 

address. Click Insert. 

d. Click OK; click OK again to add the object to the rule. 



RequestAV ResponseAV j AVErrors 


No. Source Destination Service Time 


Action 


Track 


Comment 


1 |Any |Any Virus Detected Any 


© Deny 


\m VirusLogl 


nzzz i 



Figure 3-2. The AVErrors rule 

To create an exception for IT group: 

1. In VPM, select Policy > Add Web Access Layer. Name the rule AVExceptions. 

2. Add the IT group object to the Source column. 

3. Right-click the Service column; select Set. The Set Service Object dialog 
displays. 

4. Click New; select ICAP Error Code. The Add ICAP Error Code Object displays. 
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5c 



5. Add the error code: 

a. Select Selected Errors. 

b. From the list of errors, select Password Protected Archive; click Add. 

c. Name the object password_protected. 

d. Click OK; click OK again to add the object to the rule. 

6. Right-click the Action column and select Allow. 

7. Click Add Rule. 

8. In the Service column, add the password_protected object. 

9. Right-click the Action column; select Deny. 





RequestAV ResponseAV AVErrors AVExceptions 


No. Source Destination Service Time Action Track 


Comment 






1 


gj cn=IT... 


Any 


Tj_ password_protected 


Any 


Q Allow 


None 






2 


Any 


Any 


password_protected 


Any 


© Deny 


None 
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After this policy is installed: 

□ Virus scanning is performed for client attempts to upload content and content 
responses to client requests. 

□ If a virus is detected and there were no scanning process errors, a log entry 
occurs. 

□ As the Proxy AV is configured to serve password-protected objects, only the IT 
group can download such files; everyone else is denied. 



Exempting HTTP Live Streams From Response Modification 

The following CPL examples demonstrate how to exempt HTTP live streams from 
response modification, as they are not supported by ICAP. The CPL designates 
user agents that are bypassed. 



<proxy> 

url . scheme=http request . header . User-Agent=" 
response . icap_service (no) 
url . scheme=http request . header . User-Agent=" 
response. icap_service (no) 

url . scheme=http request . header . User-Agent=" 
response . icap_service (no) 
url . scheme=http request . header . User-Agent=" 
response . icap_service (no) 
url . scheme=http request . header . User-Agent=" 
response . icap_service (no) 
url . scheme=http request . header . User-Agent=" 
response . icap_service (no) 
url . scheme=http request . header . User-Agent=" 
response . icap_service (no) 



RealPlayer G2" 

(RMA) " 

(Winamp) " 

(NSPlayer) " 

(Windows -Media- Player) 
QuickTime" 

(RealMedia Player) " 



If 



Streaming Media Request Modification Note 

Some HTTP progressive download streaming media transactions are complex 
enough to disrupt ICAP request modification services. If such behavior is noticed 
(most common with RealPlayer), implement a workaround policy to bypass the 
ICAP request modification service for HTTP progressive downloads: 

For example: 

<proxy> 

url . scheme=http request_header . User-Agent=" (RealMedia Player) " 
request . icap_service (no) 
url . scheme=http request_header . User-Agent="RMA" 
request . icap_service (no) 



CPL Notes 

□ If policy specifies that an ICAP service is to be used, but the service is not 
available, the default behavior is to fail closed — that is, deny the request or 
response. The following CPL allows the serving of objects without ICAP 
processing if the server is down. 

request. icap service ( service_name , fail open) 
response . icap_service ( service_name , fail_open) 
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When the ICAP service is restored, these objects are scanned and served from 
the cache if they are requested again. 



Note: Blue Coat recommends this CPL to be used for internal sites; use with 
caution. 



□ To provide an exception to a general rule, the following CPL negates ICAP 
processing: 

request . icap_service (no) 
response . icap_service (no) 

□ When configuring the secure ICAP feature, the following CPLs are used: 



Note: These CPLs allow the user to configure the secure_connection 
separately for each service in failover sequence. 



request . icap_service . secure_connection ( option) 

response . icap_service . secure_connection ( option) 

request . icap_service . secure connection . service name (option) 

response . icap service . secure connection . service name (option) 

request . icap_service . secure connection 

[ service 0, service^l , , service_N-l ] ( option) 

response . icap service . secure_connection 

[service 0,service_l, . . ., service_N-l] ( option ) 

where option is yes, no or auto. The default option is auto. 

• yes- This option means that secure ICAP is used for all traffic (HTTP and 
HTTPS). 

• no- This option means that plain ICAP is used for all traffic (HTTP and 
HTTPS). 

• auto-This option (default) means that plain ICAP is used for HTTP traffic 
and secure ICAP is used for HTTPS traffic. 
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Section D: Managing Virus Scanning 

You might need to perform additional ProxySG maintenance concerning virus 
scanning, particularly for updates to the virus definition on the ICAP virus 
scanning server. 

Advanced Configurations 

This section summarizes more-advanced configurations between the ProxySG 
and multiple ICAP servers. These brief examples provide objectives and suggest 
ways of supporting the configuration. 

Using Object-Specific Scan Levels 

You can specify different scanning levels for different types of objects, or for 
objects from different sources. 

This requires a service group of ICAP servers, with each server configured to 
provide the same level of scanning. For more information, refer to Chapter 4: 
"Configuring Service Groups" on page 95. 

Improving Virus Scanning Performance 

You can overcome request-handling limitations of ICAP servers. Generally, 
ProxySGs can handle many times the volume of simultaneous user requests that 
ICAP servers can handle. 

This requires multiple ICAP servers to obtain a reasonable performance gain. On 
the ProxySG, define policy rules that partition requests among the servers. If you 
are going to direct requests to individual servers based on rules, configure in rule 
conditions that only use the URL. Note that you can increase the scale by using a 
service group, rather than use rules to partition requests among servers. For more 
information on using multiple ICAP servers, refer to Chapter 4: "Configuring 
Service Groups" on page 95. For more information about defining policies, refer to 
the Managing Policy Files chapter in Volume 6: The Visual Policy Manager and 
Advanced Policy, as well as Volume 11: Command Line Interface Reference. 

When the virus definitions are updated, the ProxySG stores a signature. This 
signature consists of the server name plus a virus definition version. If either of 
these changes, the ProxySG checks to see if the object is up to date, and then 
rescans it. If two requests for the same object are directed to different servers, then 
the scanning signature changes and the object is rescanned. 

Updating the ICAP Server 

If there is a problem with the integration between the ProxySG and a supported 
ICAP server after a version update of the server, you might need to configure the 
preview size the appliance uses. For information, see "Creating an ICAP Service" 
on page 70. 
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Replacing the ICAP Server 

If you replace an ICAP server with another supported ICAP server, reconfigure 
the ICAP service on the ProxySG: 

SGOS# (config) external- services 

SGOS# (config external-service) edit service_name 
SGOS# (config service_name) url url 

For information about these commands, see "Creating an ICAP Service" on page 
70. 

Access Logging 

The ProxySG provides access log support for Symantec and Finjan ICAP 1.0 
server actions (Management > Access Logging). The following sections describe 
access logging behavior for the various supported ICAP servers. 

Symantec AntiVirus Scan Engine 4.0 

When this Symantec server performs a scan, identifies a problem (for example, a 
virus), and performs a content transformation, the action is logged. For example: 

"virus-id: Type=number; Resolution= [ 0 | 1 | 2]; Threat=ua/ne; " 



where: 



Typ e=number 


Specifies the numeric code for the virus. 


Resolution= 


Specifies an integer value that indicates what action was taken to fix 
the file. Zero (0) defines the file is unrepairable, one (l) specifies that 
the file was repaired, and two (2) specifies that the file was deleted. 


Threat= 


Specifies the name of the virus. 



Finjan SurfinGate 7.0 

When this Finjan ICAP server performs a scan, identifies a problem (for example, 
a virus), and performs a content transformation, the action is logged. For example: 

"virus-id: name, response-info: Blocked, response-desc : virus_name was 
detected" 

Finjan ICAP servers also log occurrences malicious mobile code. 



Note: The access log string cannot exceed 256 characters. If the header name or 
value extends the length over the limit, then that string does not get logged. For 
example, if the x-virus-id header value is 260 characters, the access log displays 
"x-virus-id: " with no value because the value is too long to display. Also, if the 
access log string is already 250 characters and the ProxySG attempts to append a 
"Malicious-Mobile-Type : " string, the string is not appended 



Access log entries might vary depending upon the type of ICAP scan performed 
and the custom log formats. For information about Access Logging, refer to 
Volume 8: Access Logging. 
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This chapter describes how to create and manage ICAP or Websense service 
groups. In high-traffic network environments, a service group accelerates 
response time by a performing a higher volume of scanning. 

Topics in this Chapter 

This chapter includes information about the following topics: 

□ "About Weighted Load Balancing" on page 95 

□ "Creating a Service Group" on page 97 

□ "Deleting a Service Group or Group Entry" on page 99 

□ "Displaying External Service and Group Information" on page 100 

About Weighted Load Balancing 

The ProxySG supports weighted load balancing in forwarding requests to 
service groups. By default, the ProxySG performs typical round-robin load 
balancing and evenly forwards requests sequentially to servers as defined 
within the service group. Manually assigning weights takes advantage of 
round-robin load balancing in service groups that are not homogeneous, or 
where the servers have different capacities. 

Weighting determines what proportion of the load one server bears relative to 
the others. If all servers have either the default weight (1) or the same weight, 
each share an equal proportion of the load. If one server has weight 25 and all 
other servers have weight 50, the 25-weight server processes half as much as 
any other server. 

Before configuring weights, consider the relative weights to assign to each 
server. Factors that could affect assigned weight of a ICAP server include the 
following: 

□ The processing capacity of the server hardware in relationship to other 
servers (for example, the number and performance of CPUs or the number 
of network interface cards) 

□ The maximum number of connections configured for the service. The 
maximum connections setting pertains to how many simultaneous scans 
can be performed on the server, while weighting applies to throughput in 
the integration. While these settings are not directly related, consider both 
when configuring weighted load balancing. 



Note: External services (ICAP, Websense off-box) have a reserved connection 
for health checks (if you created health check services). This means that as the 
load goes up and the number of connections to the external service reaches 
the maximum, with additional requests being queued up and waiting, the 
maximum simultaneous connections is actually one less than the limit. 
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The following diagram provides an example of how weighting works with a 
service group of three Proxy AV ICAP servers. 




Users 




Admin 





Legend ^ 




ProxySG 8100 


— 


ProxyAV 810 


tm 


Desktop 



Legend: 

A: AVI; a Proxy AV with 10 maximum connections and a specified weight of 1. 

B: AV2; a Proxy AV with 10 maximum connections and a specified weight of 1. 

C: AV3, a ProxyAV with 25 maximum connections and a specified weight of 3. 

D: A ProxySG with a Service Group named AV_Reponse that contains AVI, AV2, and 
AV3. 



Process Flow: 

1: With load balancing, the ProxySG sends 100 response modification requests to the 
three ProxyAV appliances (by way of the AV_Reponse service group). 

2: AVI receives 20 requests. 

3: AV2 receives 20 requests. 

4: AV3 receives 60 requests. 



Figure 4-1 Service Group Process Flow 



Note: Setting the weight value to 0 (zero) disables weighted load balancing for 
the ICAP service. Therefore, if one ICAP server of a two-server group has a 
weight value of 1 and the second a weight value of 0 , should the first server go 
down, a communication error results because the second server cannot process 
the request. 



While you cannot specifically designate an ICAP server in a group as a backup, 
you can specify weight values that create a large differential between a server that 
is used continuously and one that is rarely used, thus simulating a backup server. 
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Creating a Service Group 

Create the service group and add the relevant ICAP or Websense services to the 
group. Services within group must be the same type (ICAP or Websense). 

To configure a service group: 

1. Select Configuration > External Services > Service-Groups. 




2. Add a new group: 

a. Click New; the Add List Item dialog appears. 

b. In the Add Service Group field, enter an alphanumeric name. This 
example creates a group called ICAP_Response. 

c. Click OK. 

3. Highlight the new service group name and click Edit; the Edit Service Group 
dialog appears. 
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p ICAP_Response Service-Group Entries: 

Service-Group Entries 



4a 



New 



Add Service-Group Entry 



Available service-group entries 
® List ICAP services A |Request2 a 

O List Websense services 



Response 1 
Response2 
Response3 
Response4 



4c 



OK Cancel 





4. Select existing services: 



a. Click New; the Add Service Group Entry dialog appears. 

b. If this ProxySG contains many configured ICAP or Websense (off-box) 
services, you can narrow the viewable list by selecting List ICAP services 
or List Websense services. 

c. From the list of existing services, select the ones to add to this group. 
Hold the Control or Shift key to select multiple services. 

d. Click OK to add the selected services to group. 
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ICAP_Response Service-Group Entries: 



Service-Group Entries 
Response 1 



Response2 

Response4 




Edit Service-Group Entry . 



Entry weight: 



5 <3- 



OK 



Cancel 



¥ 











New 


j r_ 


Edit 


Delete 



5b 



5. Assign weights to services: 

a. Select a service and click Edit; the Edit Service Group Entry weight 
dialog appears. 

b. In the Entry Weight field, assign a weight value. The valid range is 0-255. 
For conceptual information about service weighting, see "About 
Weighted Load Balancing" on page 95. 

c. Repeat steps a and b for other services, as required. 

d. Click OK to close the dialog. 

e. Click OK again to close the Edit Service Group Entry dialog 

6. Click Apply. 

Result: When instructed by created policies, the ProxySG sends ICAP response 
modification requests to ICAP servers in the service group. The load carried by 
each service in the group is determined by the weight values. 



Deleting a Service Group or Group Entry 

You can delete the configuration for an entire service group from the ProxySG, or 
you can delete individual entries from a service group. 



Note: A service or service group used in a ProxySG policy (that is, if a policy rule 
uses the entry) cannot be deleted; it must first be removed from the policy. 
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To delete a service group: 

1. Select Configuration > External Services > Service-Groups. 

2. Select the service group to be deleted. 

3. Click Delete; click OK to confirm. 

4. Click Apply. 

To delete a service group entry: 

1. Select Configuration > External Services > Service-Groups. 

2. Select the service group to be modified. 

3. Click Edit. 

4. Select the service entry to be deleted; click Delete. 

5. Click OK. 

6. Click Apply. 



Displaying External Service and Group Information 

After configuring a service group, you can display aggregate service group (and 
other External Services) information. 



To display information about all external services and groups: 

At the (config) command prompt, enter the following commands: 

SGOS# (config) external-services 

SGOS# (config external-services) view 

Individual service information is displayed first, followed by service group 
information. For example: 



; External Services 
icap4 

ICAP-Version : 

URL: 

Max-conn : 

Timeout (secs) : 
Health-checks : 
Patience-page ( secs ) 
Notification : 
Methods : 
Preview-size : 

Send: 

ISTag: 



1.0 

icap: //10. 1. 1. 1 
5 

70 

no 

: disabled 
never 
RESPMOD 
0 

nothing 



websense4 
Version : 

Host : 

Port : 

Max-conn : 

Timeout (secs) : 
Send: 

Fail-by-default : 
Apply-by-def ault : 



4 . 4 

www . websense . com/list 
15868 

5 

70 

nothing 

closed 

no 



Serve-exception-page : yes 
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; External Service-Groups 
CorpICAP 

total weight 5 
entries : 

ICAP1 
weight 4 
ICAP2 
weight 1 

BranchWeb sense 
total weight 2 
entries : 

Websensel 
weight 1 

Websense2 
weight 1 



Related CLI Syntax to Manage External Services 



□ To enter configuration mode: 



SGOS# (config) external-services 

□ The following commands are available: 



SGOS# 

SGOS# 

SGOS# 

SGOS# 

SGOS# 

SGOS# 

SGOS# 

SGOS# 



(config 

(config 

(config 

(config 

(config 

(config 

(config 

(config 



external-services) create service-group name 
service-group name) add service_name 
service-group name) edit service name 
service-group name) weight value 
external-services) delete service_group_name 
type name) remove entry_name 
external-services) view 
type name) view 
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Appendix A: Troubleshooting 



This appendix describes troubleshooting tips and solutions for Dynamic 
Categorization (DRTR) and Blue Coat Web Filter (BCWF). It discusses the 
following topics: 

□ "Unable to Communicate with the DRTR Service" on page 103 

□ "Event Log Message: Invalid DRTR Service Name, Health Check Failed" on 
page 103 

□ "Error Determining Category for Requested URL" on page 104 

□ "Contacting Technical Support" on page 105 

Unable to Communicate with the DRTR Service 

Blue Coat Web Filter and DRTR are enabled, and the following error message 
displays: 

Dynamic categorization error: unable to communicate with service 0 
510000:1 . . /protocols/ cerberian/Cerberian^api . cpp : 79 

To resolve this issue: 

1. Use DNS to resolve sp . cwf service . net. 



Note: The ProxySG resolves the domain name sp.cwfservice.net once a day 
and maintains the list of returned IP addresses. The ProxySG then uses the IP 
address that provides the fastest service. If an IP address that is in use fails to 
respond, the ProxySG will failover to an alternate IP address. Health checks are 
automatically conducted on all the IP addresses to make this failover as 
smooth as possible and to restore service to the geographically closest IP 
address as soon as it is available. 



2. Check the firewall logs for messages about denied or blocked traffic 
attempting to reach IP addresses or in response from IP addresses. A 
firewall rule denying or blocking in either direction impedes DRTR. 

Event Log Message: Invalid DRTR Service Name, Health Check Failed 

The following event log message displays: 

Invalid DRTR service name - Health check failed - Receive failed. 

These messages are common in event logs and, for the most part, should not 
affect your service. A server may fail an L4 health check for various reasons, 
but unless all servers (services) are unavailable for extended periods of time, 
you should not experience interruptions in DRTR services and can regard this 
as expected behavior. 
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When the proxy makes a request for the DRTR service name, several IP addresses 
for our servers are returned. The ProxySG will periodically perform a quick layer- 
4 health check (opening and closing a tcp socket with no data transfer) to each of 
those servers. In the event that the ProxySG cannot contact the server or doesn't 
receive a response quickly enough, it logs similar event log messages. 

Your DRTR service will not be interrupted unless all of the servers are unable to 
be contacted for more than a few seconds. When one of these error messages 
appears, the services health status changes back to healthy within 2 to 10 seconds. 



Error Determining Category for Requested URL 

The access log shows the category for a URL as Unavailable. 

The following is an example access log message: 

2007-08-07 22:19:02 59 10.78.1.98 404 TCP_NC_MISS 412 428 GET http 

www.sahnienterprise.com 80 /images/menu . gif - - - DIRECT 

www . sahnienterprise . com text/html ; %20char set=iso-8 85 9-1 http : // 

www . sahnienterprise . com/Mozilla/5 . 0 (Windows; U; Windows NT 5.1; en- 

US; rv:1.8.1.6) Gecko/20070725 Firefox/2 . 0 . 0 . 6 PROXIED "Unavailable" - 

10.78.1.100 

Start by manually testing the URL using the ProxySG Management Console or the 

test-ur l command. 

□ If you can categorize the URL from the CLI or Management Console, you can 
rule out most of the causes and suggested things to check in the following 
table. 

□ If you get unavailable in your test, go through the list of possible causes in 
the following table. 



Possible Causes 


Check the Following 


The database is not installed. 


Check show content-filter status. 


The database is corrupt. 


Check show content-filter status. 


The database has expired. 


Check show content-filter status. 


A communication error occurred 
contacting the DRTR service. 


Check the event log entries for 
DRTR messages. 


The ProxySG license has expired. 


Check show license. 


(Possible, but not likely) There are 
issues with memory or a disk error. 


Check event log entries for disk or 
memory messages. 



For more information about possible causes and solutions, see Chapter 2: Filtering 
Web Content, "Applying Policy to Categorized URLs" on page 44. 
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Contacting Technical Support 

If you need further assistance after reading through the solutions in this 
appendix, contact Blue Coat Technical Support at: 

www.bluecoat.com/ support/ contact.html 
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Glossary 



access control list — Allows or denies specific IP addresses access to a server. 

access log — A list of all the requests sent to a ProxySG. You can read an access 
log using any of the popular log-reporting programs. When a client uses HTTP 
streaming, the streaming entry goes to the same access log. 

account — A named entity that has purchased the ProxySG or the Entitlements 
from Blue Coat. 

activation code — A string of approximately 10 characters that is generated and 
mailed to customers when they purchase the ProxySG. 

active content stripping — Provides a way to identify potentially dangerous mobile 
or active content and scripts, and strip them out of a response. 

active content types — Used in the Visual Policy Manager. Referring to Web 
Access policies, you can create and name lists of active content types to be 
stripped from Web pages. You have the additional option of specifying a 
customized message to be displayed to the user 

administration access policy — A policy layer that determines who can access the 
ProxySG to perform administrative tasks. 

administration authentication policy — A policy layer that determines how 
administrators accessing the ProxySG must authenticate. 

AJAX — Acronym for Asynchronous JavaScript and XML, the technology used 
for live updating of Web objects without having to reload the entire page. 

Application Delivery Network (ADN) — A WAN that has been optimized for 
acceleration and compression by Blue Coat. This network can also be secured 
through the use of appliance certificates. An ADN network is composed of an 
ADN manager and backup ADN manager, ADN nodes, and a network 
configuration that matches the environment. 

ADN backup manager — Takes over for the ADN manager in the event it becomes 
unavailable. See ADN manager. 

ADN manager — Responsible for publishing the routing table to SG Clients (and 
to other ProxySG appliances). 

ADN optimize attribute — Controls whether to optimize bandwidth usage when 
connecting upstream using an ADN tunnel. 

A record — The central records of DNS, which link a domain or subdomain to an 
IP address. An A record can correspond to a single IP address or many IP 
addresses. 

asx rewrite — Allows you to rewrite URLs and then direct a client's subsequent 
request to the new URL. One of the main applications of ASX file rewrites is to 
provide explicit proxy-like support for Windows Media Player 6.4, which 
cannot set explicit proxy mode for protocols other than HTTP. 
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audit — A log that provides a record of who accessed what and how. 

authenticate-401 attribute — All transparent and explicit requests received on the port 
always use transparent authentication (cookie or IP, depending on the 
configuration). This is especially useful to force transparent proxy authentication 
in some proxy-chaining scenarios 

authenticated content — Cached content that requires authentication at the origin 
content server (OCS). Supported authentication types for cached data include 
basic authentication and IWA (or NTLM). 

authentication — Allows you to verify the identity of a user. In its simplest form, this 
is done through usernames and passwords. Much more stringent authentication 
can be employed using digital certificates that have been issued and verified by a 
Certificate Authority. See also basic authentication, proxy authentication, and SSL 
authentication. 

authentication realm — Authenticates and authorizes users to access SG services 
using either explicit proxy or transparent proxy mode. These realms integrate 
third-party vendors, such as LDAP, Windows, and Novell, with the Blue Coat 
operating system. 

authorization — The permissions given to an authenticated user. 



bandwidth — The amount of data you can send through a network or modem 
connection, usually measured in bits per second (bps). 

bandwidth class — A defined unit of bandwidth allocation. 

bandwidth class hierarchy — A gouping of bandwidth classes into a tree structure 
that specifies the relationship among different classes. You create a hierarchy by 
creating at least one parent class and assigning other classes as its children. 

bandwidth gain — Bandwidth gain is a calculation of the savings that occur when 
bandwidth is not consumed as a result of some form of optimization. 

For example, bandwidth gain for active sessions is calculated by subtracting the 
number of client bytes from the number of server bytes and dividing the result by 
the number of server bytes. 

(Client Bytes - Server Bytes) / Server Bytes 

bandwidth management — Classify, control, and, if needed, limit the amount of 
bandwidth used by network traffic flowing in or out of a ProxySG. 

basic authentication — The standard authentication for communicating with the 
target as identified in the URL. 

BCAAA — Blue Coat Authentication and Authorization Agent. Allows SGOS 5.x to 
manage authentication and authorization for IWA, CA eTrust SiteMinder realms, 
Oracle COREid, Novell, and Windows realms. The agent is installed and 
configured separately from SGOS 5.x and is available from the Blue Coat Web site. 

BCLP — Blue Coat Licensing Portal. 

byte-range support — The ability of the ProxySG to respond to byte-range requests 
(requests with a Range : HTTP header). 
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cache — An "object store," either hardware or software, that stores information 
(objects) for later retrieval. The first time the object is requested, it is stored, 
making subsequent requests for the same information much faster. 

A cache helps reduce the response time and network bandwidth consumption on 
future, equivalent requests. The ProxySG serves as a cache by storing content 
from many users to minimize response time and prevent extraneous network 
traffic. 

cache control — Allows you to configure which content the ProxySG stores. 

cache efficiency — A tab found on the Statistics pages of the Management Console 
that shows the percent of objects served from cache, the percent loaded from the 
network, and the percent that were non-cacheable. 

cache hit — Occurs when the ProxySG receives a request for an object and can serve 
the request from the cache without a trip to the origin server. 

cache miss — Occurs when the ProxySG receives a request for an object that is not 
in the cache. The ProxySG must then fetch the requested object from the origin 
server. 

cache object — Cache contents includes all objects currently stored by the ProxySG. 
Cache objects are not cleared when the ProxySG is powered off. 

Certificate Authority (CA) — A trusted, third-party organization or company that 
issues digital certificates used to create digital signatures and public key/ private 
key pairs. The role of the CA is to guarantee that the individuals or company 
representatives who are granted a unique certificate are who they claim to be. 

child class (bandwidth gain) — The child of a parent class is dependent on that parent 
class for available bandwidth (they share the bandwidth in proportion to their 
minimum/ maximum bandwidth values and priority levels). A child class with 
siblings (classes with the same parent class) shares bandwidth with those siblings 
in the same manner. 

cipher suite — Specifies the algorithms used to secure an SSL connection. When a 
client makes an SSL connection to a server, it sends a list of the cipher suites that it 
supports. 

client consent certificates — A certificate that indicates acceptance or denial of 
consent to decrypt an end user's HTTPS request. 

client-side transparency — A way of replacing the ProxySG IP address with the Web 
server IP address for all port 80 traffic destined to go to the client. This effectively 
conceals the ProxySG address from the client and conceals the identity of the 
client from the Web server. 

concentrator — A ProxySG, usually located in a data center, that provides access to 
data center resources, such as file servers. 

content filtering — A way of controlling which content is delivered to certain users. 
ProxySG appliances can filter content based on content categories (such as 
gambling, games, and so on), type (such as http, ftp, streaming, and mime type), 
identity (user, group, network), or network conditions. You can filter content 
using vendor-based filtering or by allowing or denying access to URLs. 
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default boot system — The system that was successfully started last time. If a system 
fails to boot, the next most recent system that booted successfully becomes the 
default boot system. 

default proxy listener — See proxy service (default). 

denial of service (DoS) — A method that hackers use to prevent or deny legitimate 
users access to a computer, such as a Web server. DoS attacks typically send many 
request packets to a targeted Internet server, flooding the server's resources and 
making the system unusable. Any system connected to the Internet and equipped 
with TCP-based network services is vulnerable to a DoS attack. 

The ProxySG resists DoS attacks launched by many common DoS tools. With a 
hardened TCP/IP stack, the ProxySG resists common network attacks, including 
traffic flooding. 

destination objects — Used in Visual Policy Manager. These are the objects that 
define the target location of an entry type. 

detect protocol attribute — Detects the protocol being used. Protocols that can be 
detected include: HTTP, P2P (eDonkey, BitTorrent, FastTrack, Gnutella), SSL, and 
Endpoint Mapper. 

diagnostic reporting — Found in the Statistics pane, the Diagnostics tab allows you to 
control whether Daily Heartbeats and/ or Blue Coat Monitoring are enabled or 
disabled. 

directives — Commands used in installable lists to configure forwarding and 
SOCKS gateway. 

DNS access — A policy layer that determines how the ProxySG processes DNS 
requests. 

domain name system (DNS) — An Internet service that translates domain names into 
IP addresses. 

dynamic bypass — Provides a maintenance-free method for improving performance 
of the ProxySG by automatically compiling a list of requested URLs that return 
various kinds of errors. 

dynamic real-time rating (DRTR) — Used in conjunction with the Blue Coat Web Filter 
(BCWF), DRTR (also known as dynamic categorization) provides real-time analysis 
and content categorization of requested Web pages to solve the problem of new 
and previously unknown uncategorized URLs — those not in the database. 

When a user requests a URL that has not already been categorized by the BCWF 
database (for example, a brand new Web site), the ProxySG dynamic 
categorization service analyzes elements of the requested content and assigns a 
category or categories. The dynamic service is consulted only when the installed 
BCWF database does not contain category information for an object. 



early intercept attribute — Controls whether the proxy responds to client TCP 
connection requests before connecting to the upstream server. When early 
intercept is disabled, the proxy delays responding to the client until after it has 
attempted to contact the server. 
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ELFF-compatible format — A log type defined by the W3C that is general enough to 
be used with any protocol. 

emulated certificates — Certificates that are presented to the user by the ProxySG 
when intercepting HTTPS requests. Blue Coat emulates the certificate from the 
server and signs it, copying the subjectName and expiration. The original 
certificate is used between the ProxySG and the server. 

encrypted log — A log is encrypted using an external certificate associated with a 
private key. Encrypted logs can only be decrypted by someone with access to the 
private key. The private key is not accessible to the ProxySG. 

EU LA — End user license agreement. 

event logging — Allows you to specify the types of system events logged, the size of 
the event log, and to configure Syslog monitoring. The ProxySG can also notify 
you by email if an event is logged. See also access logging. 

explicit proxy — A configuration in which the browser is explicitly configured to 
communicate with the proxy server for access to content. This is the default for 
the ProxySG and requires configuration for both the browser and the interface 
card. 

extended log file format (ELFF) — A variant of the common log file format, which has 
two additional fields at the end of the line — the referer and the user agent fields. 



fail open/closed — Failing open or closed applies to forwarding hosts and groups 
and SOCKS gateways. Fail open or closed applies when health checks are 
showing sick for each forwarding or SOCKS gateway target in the applicable fail- 
over sequence. If no systems are healthy, the ProxySG fails open or closed, 
depending on the configuration. If closed, the connection attempt simply fails. 

If open, an attempt is made to connect without using any forwarding target (or 
SOCKS gateway). Fail open is usually a security risk; fail closed is the default if no 
setting is specified. 

filtering — See content filtering. 

forward proxy — A proxy server deployed close to the clients and used to access 
many servers. A forward proxy can be explicit or transparent. 

FTP — See Native FTP and Web FTP. 



gateway — A device that serves as entrance and exit into a communications 
network. 



hardware serial number — A string that uniquely identifies the ProxySG; it is assigned 
to each unit in manufacturing. 

health check tests — The method of determining network connectivity, target 
responsiveness, and basic functionality. The following tests are supported: 
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• ICMP 

• TCP 

• SSL 

• HTTP 

• HTTPS 

• Group 

• Composite and reference to a composite result 

• ICAP 

• Websense 

• DRTR rating service 

health check type — The kind of device or service the specific health check tests. The 
following types are supported: 

• Forwarding host and forwarding group 

• SOCKS gateway and SOCKS gateway group 

• CAP service and ICAP service group 

• Websense off-box service and Websense off-box service group 

• DRTR rating service 

• User-defined host and a user-defined composite 

heartbeat — Messages sent once every 24 hours that contain the statistical and 
configuration data for the ProxySG, indicating its health. Heartbeats are 
commonly sent to system administrators and to Blue Coat. Heartbeats contain no 
private information, only aggregate statistics useful for pre-emptively diagnosing 
support issues. 

The ProxySG sends emergency heartbeats whenever it is rebooted. Emergency 
heartbeats contain core dump and restart flags in addition to daily heartbeat 
information. 

host affinity — The attempt to direct multiple connections by a single user to the 
same group member. Host affinity is closely tied to load balancing behavior; both 
should be configured if load balancing is important. 

host affinity timeout — The host affinity timeout determines how long a user remains 
idle before the connection is closed. The timeout value checks the user's IP 
address, SSL ID, or cookie in the host affinity table. 



inbound traffic (bandwidth gain) — Network packets flowing into the ProxySG. 
Inbound traffic mainly consists of the following: 

• Server inbound: Packets originating at the origin content server (OCS) and 
sent to the ProxySG to load a Web object. 
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• Client inbound: Packets originating at the client and sent to the ProxySG 
for Web requests. 

installable list — A list of configuration parameters that can be created using a text 
editor (either Blue Coat or another text editor) or through the CLI inline 
commands. The list can then be downloaded to the ProxySG from an HTTP server 
or locally from your PC. Configurations that can be created and installed this way 
include the SG Client, archiving, forwarding hosts, SOCKS gateways, ICP, policy 
files, and exceptions. 

integrated host timeout — An integrated host is an origin content server (OCS) that 
has been added to the health check list. The host, added through the 
integrate_new_hosts property, ages out of the integrated host table after 
being idle for the specified time. The default is 60 minutes. 

intervals — Time period from the completion of one health check to the start of the 
next health check. 

IP reflection — Determines how the client IP address is presented to the origin server 
for explicitly proxied requests. All proxy services contain a reflect-ip attribute, 
which enables or disables sending of client's IP address instead of the IP address 
of the ProxySG. 

issuer keyring — The keyring used by the ProxySG to sign emulated certificates. The 
keyring is configured on the appliance and managed through policy. 



licensable component (LC) — (Software) A subcomponent of a license; it is an option 
that enables or disables a specific feature. 

LCAMS — License Configuration and Management System. 

license — Provides both the right and the ability to use certain software functions 
within a Proxy AV (or ProxySG) appliance. The license key defines and controls 
the license, which is owned by an account. 

listener — The service that is listening on a specific port. A listener can be identified 
by any destination IP/subnet and port range. Multiple listeners can be added to 
each service. 

live content — Also called live broadcast. Used in streaming, it indicates that the 
content is being delivered fresh. 

LKF — License key file. 

load balancing — A way to share traffic requests among multiple upstream systems 
or multiple IP addresses on a single host. 

local bypass list — A list you create and maintain on your network. You can use a 
local bypass list alone or in conjunction with a central bypass list. 

local policy file — Written by enterprises (as opposed to the central policy file written 
by Blue Coat); used to create company- and department-specific advanced 
policies written in the Blue Coat Policy Language (CPL). 
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log facility — A separate log that contains a single logical file and supports a single 
log format. It also contains the file's configuration and upload schedule 
information as well as other configurable information such as how often to rotate 
(switch to a new log) the logs at the destination, any passwords needed, and the 
point at which the facility can be uploaded. 

log format — The type of log that is used: NCSA/ Common, SQUID, ELFF, 
SurfControl, or Websense. 

The proprietary log types each have a corresponding pre-defined log format that 
has been set up to produce exactly that type of log (these logs cannot be edited). In 
addition, a number of other EFFF type log formats are also pre-defined (im, main, 
p2p, ssl, streaming). These can be edited, but they start out with a useful set of log 
fields for logging particular protocols understood by the ProxySG. It is also 
possible to create new log formats of type EFFF or Custom which can contain any 
desired combination of log fields. 

log tail — The access log tail shows the log entries as they get logged. With high 
traffic on the ProxySG, not all access log entries are necessarily displayed. 
However, you can view all access log information after uploading the log. 



M 

MACH5 — SGOS 5 MACH5 Edition. 

Management Console — A graphical Web interface that lets you to manage, 
configure, monitor, and upgrade the ProxySG from any location. The 
Management Console consists of a set of Web pages and Java applets stored on 
the ProxySG. The appliance acts as a Web server on the management port to serve 
these pages and applets. 

management information base (MIB) — Defines the statistics that management systems 
can collect. A managed device (gateway) has one or more MIBs as well as one or 
more SNMP agents, which implements the information and management 
functionality defined by a specific MIB. 

maximum object size — The maximum object size stored in the ProxySG. All objects 
retrieved that are greater than the maximum size are delivered to the client but are 
not stored in the ProxySG. 

Media Access Control (MAC) address — A unique value associated with a network 
adapter; also known as hardware address or physical address. For the ProxySG, it 
is a hardware address that is stored in each network card (such as an SSF 
accelerator card or a Quad GigE Fiber EX card) on the ProxySG. The MAC 
address uniquely identifies an adapter on a FAN and is a 12-digit hexadecimal 
number (48 bits in length). 

MIME/FILE type filtering — Allows organizations to implement Internet policies for 
both uploaded and downloaded content by MIME or FIFE type. 

multi-bit rate — The capability of a single stream to deliver multiple bit rates to 
clients requesting content from ProxySG appliances from within varying levels of 
network conditions (such as different connecting band widths and traffic). 

multicast — Used in streaming; the ability for hundreds or thousands of users to 
play a single stream. 



114 



multicast aliases — Used in streaming; a streaming command that specifies an alias 
for a multicast URL to receive an .nsc file. The .nsc files allows the multicast 
session to obtain the information in the control channel 

multicast station — Used in streaming; a defined location on the proxy where the 
Windows Media player can retrieve streams. A multicast station enables multicast 
transmission of Windows Media content from the cache. The source of the 
multicast-delivered content can be a unicast-live source, a multicast (live) source, 
and simulated live (video-on-demand content converted to scheduled live 
content). 

multimedia content services — Used in streaming; multimedia support includes Real 
Networks, Microsoft Windows Media, Apple QuickTime, MP3, and Flash. 



name inputing — Allows a ProxySG to resolve host names based on a partial name 
specification. When a host name is submitted to the DNS server, the DNS server 
resolves the name to an IP address. If the host name cannot be resolved. Blue Coat 
adds the first entry in the name-inputing list to the end of the host name and 
resubmits it to the DNS server 

native FTP — Native FTP involves the client connecting (either explicitly or 
transparently) using the FTP protocol; the ProxySG then connects upstream 
through FTP (if necessary). 

NCSA common log format — Blue Coat products are compatible with this log type, 
which contains only basic HTTP access information. 

network address translation (NAT) — The process of translating private network (such 
as intranet) IP addresses to Internet IP addresses and vice versa. This 
methodology makes it possible to match private IP addresses to Internet IP 
addresses even when the number of private addresses outnumbers the pool of 
available Internet addresses. 

non-cacheable objects — A number of objects are not cached by the ProxySG because 
they are considered non-cacheable. You can add or delete the kinds of objects that 
the appliance considers non-cacheable. Some of the non-cacheable request types 
are: 

• Pragma no-cache, requests that specify non-cached objects, such as when 
you click refresh in the Web browser. 

• Password provided, requests that include a client password. 

• Data in request that include additional client data. 

• Not a GET request. 

.nsc file — Created from the multicast station definition and saved through the 
browser as a text file encoded in a Microsoft proprietary format. Without an .nsc 
file, the multicast station definition does not work. 



115 



Volume 7: Managing Content 



NTP — To manage objects in an appliance, a ProxySG must know the current 
Universal Time Coordinates (UTC) time. By default, the ProxySG attempts to 
connect to a Network Time Protocol (NTP) server to acquire the UTC time. The 
ProxySG includes a list of NTP servers available on the Internet, and attempts to 
connect to them in the order they appear in the NTP server list on the NTP tab. 



object (used in caching) — An object is the item that is stored in an appliance. These 
objects can be frequently accessed content, content that has been placed there by 
content publishers, or Web pages, among other things. 

object (used in Visual Policy Manager) — An object (sometimes referred to as a 
condition) is any collection or combination of entry types you can create 
individually (user, group, IP address/ subnet, and attribute). To be included in an 
object, an item must already be created as an individual entry. 

object pipelining — This patented algorithm opens as many simultaneous TCP 
connections as the origin server will allow and retrieves objects in parallel. The 
objects are then delivered from the appliance straight to the user's desktop as fast 
as the browser can request them. 

Online Certificate Status Protocol (OCSP) — An Internet protocol used for obtaining the 
revocation status of an X.509 digital certificate. OCSP was created as an 
alternative to certificate revocation lists (CRL), specifically addressing certain 
problems associated with using CRLs in a public key infrastructure (PKI). OCSP 
servers are called OCSP responders due to the request/ response nature of these 
messages. 

origin content server (OCS) — Also called origin server. This is the original source of 
the content that is being requested. An appliance needs the OCS to acquire data 
the first time, to check that the content being served is still fresh, and to 
authenticate users. 

outbound traffic (bandwidth gain) — Network packets flowing out of the ProxySG. 
Outbound traffic mainly consists of the following: 

• Client outbound: Packets sent to the client in response to a Web request. 

• Server outbound: Packets sent to an OCS or upstream proxy to request a 
service. 



PAC (Proxy AutoConfiguration) scripts — Originally created by Netscape, PACs are a 
way to avoid requiring proxy hosts and port numbers to be entered for every 
protocol. You need only enter the URL. A PAC can be created with the needed 
information and the local browser can be directed to the PAC for information 
about proxy hosts and port numbers. 

packet capture (PCAP) — Allows filtering on various attributes of the Ethernet frame 
to limit the amount of data collected. You can capture packets of Ethernet frames 
going into or leaving a ProxySG. 
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parent class (bandwidth gain) — A class with at least one child. The parent class must 
share its bandwidth with its child classes in proportion to the minimum/ 
maximum bandwidth values or priority levels. 

passive mode data connections (PASV) — Data connections initiated by an FTP client to 
an FTP server. 

pipelining — See object pipelining. 

policies — Groups of rules that let you manage Web access specific to the needs of 
an enterprise. Policies enhance ProxySG feature areas such as authentication and 
virus scanning, and let you control end-user Web access in your existing 
infrastructure. 

policy-based bypass list — Used in policy. Allows a bypass based on the properties of 
the client, unlike static and dynamic bypass lists, which allow traffic to bypass the 
appliance based on destination IP address. See also dynamic bypass. 

policy layer — A collection of rules created using Blue Coat CPL or with the VPM. 

pragma: no cache (PNC) — A metatag in the header of a request that requires the 
appliance to forward a request to the origin server. This allows clients to always 
obtain a fresh copy. 

proxy — Caches content, filters traffic, monitors Internet and intranet resource 
usage, blocks specific Internet and intranet resources for individuals or groups, 
and enhances the quality of Internet or intranet user experiences. 

A proxy can also serve as an intermediary between a Web client and a Web server 
and can require authentication to allow identity-based policy and logging for the 
client. 

The rules used to authenticate a client are based on the policies you create on the 
ProxySG, which can reference an existing security infrastructure — LDAP, 
RADIUS, IWA, and the like. 

Proxy Edition — SGOS 5 Proxy Edition. 

proxy service — The proxy service defines the ports, as well as other attributes, that 
are used by the proxies associated with the service. 

proxy service (default) — The default proxy service is a service that intercepts all 
traffic not otherwise intercepted by other listeners. It only has one listener whose 
action can be set to bypass or intercept. No new listeners can be added to the 
default proxy service, and the default listener and service cannot be deleted. 
Service attributes can be changed. 

ProxySG — A Blue Coat security and cache box that can help manage security and 
content on a network. 

public key certificate — An electronic document that encapsulates the public key of 
the certificate sender, identifies this sender, and aids the certificate receiver to 
verify the identity of the certificate sender. A certificate is often considered valid if 
it has been digitally signed by a well-known entity, which is called a Certificate 
Authority (such as VeriSign). 

public virtual IP (VIP) — Maps multiple servers to one IP address and then propagates 
that information to the public DNS servers. Typically, there is a public VIP known 
to the public Internet that routes the packets internally to the private VIP. This 
enables you to "hide" your servers from the Internet. 
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real-time streaming protocol (RTSP) — A standard method of transferring audio and 
video and other time-based media over Internet-technology based networks. The 
protocol is used to stream clips to any RTP-based client. 

reflect client IP attribute — Enables the sending of the client's IP address instead of the 
SG's IP address to the upstream server. If you are using an application delivery 
network (ADN), this setting is enforced on the concentrator proxy through the 

Configuration > App. Delivery Network > Tunneling tab. 

registration — An event that binds the appliance to an account, that is, it creates the 
Serial#, Account association. 

remote authentication dial-in user service (RADIUS) — Authenticates user identity via 
passwords for network access. 

Return to Sender (RTS) — A way of allowing outgoing TCP packets to use the same 
network interface on which the corresponding incoming TCP packets arrived. 
The destination Media Acess Control (MAC) address for the outgoing packets is 
the same as the source MAC address of the incoming packets. See also Media 
Access Control (MAC) address. 

reverse proxy — A proxy that acts as a front end to a small number of predefined 
servers, typically to improve performance. Many clients can use it to access the 
small number of predefined servers. 

routing information protocol (RIP) — Designed to select the fastest route to a 
destination. RIP support is built into ProxySG appliances. 

router hops — The number of jumps a packet takes when traversing the Internet. 
RTS — See Return to Sender. 



secure shell (SSH) — Also known as Secure Socket Shell. SSH is an interface and 
protocol that provides strong authentication and enables you to securely access a 
remote computer. Three utilities — login, ssh, and scp — comprise SSH. Security via 
SSH is accomplished using a digital certificate and password encryption. 
Remember that the Blue Coat ProxySG requires SSH1. A ProxySG supports a 
combined maximum of 16 Telnet and SSH sessions. 

serial console — A third-party device that can be connected to one or more Blue 
Coat appliances. Once connected, you can access and configure the appliance 
through the serial console, even when you cannot access the appliance directly. 

server certificate categories — The hostname in a server certificate can be categorized 
by BCWF or another content filtering vendor to fit into categories such as 
banking, finance, sports. 

server portals — Doorways that provide controlled access to a Web server or a 
collection of Web servers. You can configure Blue Coat appliances to be server 
portals by mapping a set of external URLs onto a set of internal URLs. 
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server-side transparency — The ability for the server to see client IP addresses, which 
enables accurate client-access records to be kept. When server-side transparency 
is enabled, the appliance retains client IP addresses for all port 80 traffic to and 
from the ProxySG. In this scheme, the client IP address is always revealed to the 
server. 

service attributes — Define the parameters, such as explicit or transparent, cipher 
suite, and certificate verification, that the ProxySG uses for a particular service. 

sibling class (bandwidth gain) — A bandwidth class with the same parent class as 
another class. 

signed system image — Cryptographically signed with a key known only to Blue 
Coat, and the signature is verified when the image is downloaded to the system. 

simple network management protocol (SNMP) — The standard operations and 
maintenance protocol for the Internet. It consists of a set of standards for network 
management, including an application layer protocol, a database schema, and a 
set of data objects. In SNMP, the available information is defined by management 
information bases (MIBs), which describe the structure of the management data. 

simulated live — Used in streaming. Defines playback of one or more video-on- 
demand files as a scheduled live event, which begins at a specified time. The 
content can be looped multiple times, or scheduled to start at multiple start times 
throughout the day. 

SmartReporter log type — A proprietary ELFF log type that is compatible with the 
SmartFilter SmartReporter tool. 

SOCKS — A proxy protocol for TCP/IP-based networking applications that allows 
users transparent access across the firewall. If you are using a SOCKS server for 
the primary or alternate forwarding gateway, you must specify the appliance's ID 
for the identification protocol used by the SOCKS gateway. The machine ID 
should be configured to be the same as the appliance's name. 

SOCKS proxy — A generic way to proxy TCP and UDP protocols. The ProxySG 
supports both SOCKSv4/ 4a and SOCKSv5; however, because of increased 
username and password authentication capabilities and compression support. 
Blue Coat recommends that you use SOCKS v5. 

splash page — The custom message page that displays the first time you start the 
client browser. 

split proxy — Employs co-operative processing at the branch and the core to 
implement functionality that is not possible in a standalone proxy. Examples of 
split proxies include: 

• Mapi Proxy 

• SSE Proxy 

SQUID-compatible format — A log type that was designed for cache statistics and is 
compatible with Blue Coat products. 

squid-native log format — The Squid-compatible format contains one line for each 
request. 

SSL authentication — Ensures that communication is with "trusted" sites only. 
Requires a certificate issued by a trusted third party (Certificate Authority). 
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SSL client — See SSL device profile. 

SSL device profile — Used to determine various SSL parameters for outgoing HTTPS 
connections. Specifically, its role is to: 

• Identify the SSL protocol version that the ProxySG uses in negotiations 
with origin servers. 

• Identify the cipher suites used. 

• Determine which certificate can be presented to origin servers by 
associating a keyring with the profile. 

SSL interception — Decrypting SSL connections. 

SSL proxy — A proxy that can be used for any SSL traffic (HTTPS or not), in either 
forward or reverse proxy mode. 

static route — A manually-configured route that specifies the transmission path a 
packet must follow, based on the packet's destination address. A static route 
specifies a transmission path to another network. 

statistics — Every Blue Coat appliance keeps statistics of the appliance hardware 
and the objects it stores. You can review the general summary, the volume, 
resources allocated, cache efficiency, cached contents, and custom URLs generated 
by the appliance for various kinds of logs. You can also check the event viewer for 
every event that occurred since the appliance booted. 

stream — A flow of a single type of data, measured in kilobits per second (Kbps). A 
stream could be the sound track to a music video, for example. 

SurfControl log type — A proprietary log type that is compatible with the SurfControl 
reporter tool. The SurfControl log format includes fully-qualified usernames 
when an NTLM realm provides authentication. The simple name is used for all 
other realm types. 

syslog — An event-monitoring scheme that is especially popular in Unix 
environments. Most clients using Syslog have multiple devices sending messages 
to a single Syslog daemon. This allows viewing a single chronological event log of 
all of the devices assigned to the Syslog daemon. The Syslog format is: "Date Time 
Hostname Event." 

system cache — The software cache on the appliance. When you clear the cache, all 
objects in the cache are set to expired. The objects are not immediately removed 
from memory or disk, but a subsequent request for any object requested is 
retrieved from the origin content server before it is served. 



TCP window size — The number of bytes that can be buffered before the sending host 
must wait for an acknowledgement from the receiving host. 

time-to-live (TTL) value — Used in any situation where an expiration time is needed. 
For example, you do not want authentication to last beyond the current session 
and also want a failed command to time out instead of hanging the box forever. 

traffic flow (bandwidth gain) — Also referred to as flow. A set of packets belonging to 
the same TCP/UDP connection that terminate at, originate at, or flow through the 
ProxySG. A single request from a client involves two separate connections. One of 
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them is from the client to the ProxySG, and the other is from the ProxySG to the 
OCS. Within each of these connections, traffic flows in two directions — in one 
direction, packets flow out of the ProxySG (outbound traffic), and in the other 
direction, packets flow into the ProxySG (inbound traffic). Connections can come 
from the client or the server. Thus, traffic can be classified into one of four types: 

• Server inbound 

• Server outbound 

• Client inbound 

• Client outbound 

These four traffic flows represent each of the four combinations described above. 
Each flow represents a single direction from a single connection. 

transmission control protocol (TCP) — TCP, when used in conjunction with IP (Internet 
Protocol) enables users to send data, in the form of message units called packets, 
between computers over the Internet. TCP is responsible for tracking and 
handling, and reassembly of the packets; IP is responsible for packet delivery. 

transparent proxy — A configuration in which traffic is redirected to the ProxySG 
without the knowledge of the client browser. No configuration is required on the 
browser, but network configuration, such as an L4 switch or a WCCP-compliant 
router, is required. 

trial period — Starting with the first boot, the trial period provides 60 days of free 
operation. All features are enabled during this time. 



unicast alias — Defines an name on the appliance for a streaming URL. When a 
client requests the alias content on the appliance, the appliance uses the URL 
specified in the unicast-alias command to request the content from the origin 
streaming server. 

universal time coordinates (UTC) — A ProxySG must know the current UTC time. By 
default, the appliance attempts to connect to a Network Time Protocol (NTP) 
server to acquire the UTC time. If the ProxySG cannot access any NTP servers, 
you must manually set the UTC time. 

URL filtering — See content filtering. 

URL rewrite rules — Rewrite the URLs of client requests to acquire the streaming 
content using the new URL. Lor example, when a client tries to access content on 
www.mycompany.com, the ProxySG is actually receiving the content from the 
server on 10.253.123.123. The client is unaware that mycompany.com is not 
serving the content; however, the ProxySG access logs indicate the actual server 
that provides the content. 



WCCP — Web Cache Communication Protocol. Allows you to establish redirection 
of the traffic that flows through routers. 
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Web FTP — Web FTP is used when a client connects in explicit mode using HTTP 
and accesses an ftp:/ / URL. The ProxySG translates the HTTP request into an 
FTP request for the OCS (if the content is not already cached), and then translates 
the FTP response with the file contents into an HTTP response for the client. 

Websense log type — A Blue Coat proprietary log type that is compatible with the 
Websense reporter tool. 



XML responder — HTTP XML service that runs on an external server. 

XML requestor — XML realm. 
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